[Debian-iot-maintainers] Bug#1063534: libjwt: CVE-2024-25189

Moritz Mühlenhoff jmm at inutil.org
Fri Feb 9 14:02:11 GMT 2024


Source: libjwt
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for libjwt.

CVE-2024-25189[0]:
| libjwt 1.15.3 uses strcmp (which is not constant time) to verify
| authentication, which makes it easier to bypass authentication via a
| timing side channel.

The report is
https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md
but it doesn't seem to have been reported upstream yet.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25189
    https://www.cve.org/CVERecord?id=CVE-2024-25189

Please adjust the affected versions in the BTS as needed.



More information about the Debian-iot-maintainers mailing list