[Pkg-freeipa-devel] Bug#1065688: python-jwcrypto: CVE-2024-28102
Salvatore Bonaccorso
carnil at debian.org
Tue Apr 30 21:46:25 BST 2024
Hi Steve,
On Tue, Apr 30, 2024 at 05:19:22PM +0100, Steve McIntyre wrote:
> Hi!
>
> On Fri, Mar 08, 2024 at 10:42:40PM +0100, Salvatore Bonaccorso wrote:
> >Source: python-jwcrypto
> >Version: 1.5.4-1
> >Severity: important
> >Tags: security upstream
> >X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> >
> >Hi,
> >
> >The following vulnerability was published for python-jwcrypto.
> >
> >CVE-2024-28102[0]:
> >| JWCrypto implements JWK, JWS, and JWE specifications using python-
> >| cryptography. Prior to version 1.5.6, an attacker can cause a denial
> >| of service attack by passing in a malicious JWE Token with a high
> >| compression ratio. When the server processes this token, it will
> >| consume a lot of memory and processing time. Version 1.5.6 fixes
> >| this vulnerability by limiting the maximum token length.
>
> We wanted this fixed in Pexip, so I've taken a look at this bug.
>
> The upstream bugfix just needs a small rework so it applies cleanly to
> the version in bookworm. Here's a debdiff for that that in case it's
> useful.
The issue does not warrant a DSA, but would be great if fixed in
bookworm if you have done already the work, via a upcoming point
release.
Can you propose the update in stable (unless the maintainers want to
do it on their own)?
Regards,
Salvatore
More information about the Pkg-freeipa-devel
mailing list