[Pkg-freeipa-devel] Bug#1065688: Bug#1065688: python-jwcrypto: CVE-2024-28102

Timo Aaltonen tjaalton at debian.org
Thu May 2 07:07:08 BST 2024


Steve McIntyre kirjoitti 30.4.2024 klo 19.19:
> Hi!
> 
> On Fri, Mar 08, 2024 at 10:42:40PM +0100, Salvatore Bonaccorso wrote:
>> Source: python-jwcrypto
>> Version: 1.5.4-1
>> Severity: important
>> Tags: security upstream
>> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>>
>> Hi,
>>
>> The following vulnerability was published for python-jwcrypto.
>>
>> CVE-2024-28102[0]:
>> | JWCrypto implements JWK, JWS, and JWE specifications using python-
>> | cryptography. Prior to version 1.5.6, an attacker can cause a denial
>> | of service attack by passing in a malicious JWE Token with a high
>> | compression ratio. When the server processes this token, it will
>> | consume a lot of memory and processing time. Version 1.5.6 fixes
>> | this vulnerability by limiting the maximum token length.
> 
> We wanted this fixed in Pexip, so I've taken a look at this bug.
> 
> The upstream bugfix just needs a small rework so it applies cleanly to
> the version in bookworm. Here's a debdiff for that that in case it's
> useful.

I've pushed 1.5.6 to sid now, feel free to upload the proposed version 
for bookworm, thanks.

-- 
t



More information about the Pkg-freeipa-devel mailing list