[Pkg-freeipa-devel] Bug#1065688: Bug#1065688: python-jwcrypto: CVE-2024-28102
Steve McIntyre
steve at einval.com
Fri May 3 11:56:34 BST 2024
Hi Timo,
On Thu, May 02, 2024 at 09:07:08AM +0300, Timo Aaltonen wrote:
>Steve McIntyre kirjoitti 30.4.2024 klo 19.19:
>> Hi!
>>
>> On Fri, Mar 08, 2024 at 10:42:40PM +0100, Salvatore Bonaccorso wrote:
>> > Source: python-jwcrypto
>> > Version: 1.5.4-1
>> > Severity: important
>> > Tags: security upstream
>> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>> >
>> > Hi,
>> >
>> > The following vulnerability was published for python-jwcrypto.
>> >
>> > CVE-2024-28102[0]:
>> > | JWCrypto implements JWK, JWS, and JWE specifications using python-
>> > | cryptography. Prior to version 1.5.6, an attacker can cause a denial
>> > | of service attack by passing in a malicious JWE Token with a high
>> > | compression ratio. When the server processes this token, it will
>> > | consume a lot of memory and processing time. Version 1.5.6 fixes
>> > | this vulnerability by limiting the maximum token length.
>>
>> We wanted this fixed in Pexip, so I've taken a look at this bug.
>>
>> The upstream bugfix just needs a small rework so it applies cleanly to
>> the version in bookworm. Here's a debdiff for that that in case it's
>> useful.
>
>I've pushed 1.5.6 to sid now, feel free to upload the proposed version for
>bookworm, thanks.
I've asked the release team to approve, ready to upload when they say
so. I've also pushed a bookworm branch and a tag for this release to
https://salsa.debian.org/93sam/python-jwcrypto/-/tree/bookworm
if you'd like to merge those.
--
Steve McIntyre, Cambridge, UK. steve at einval.com
Getting a SCSI chain working is perfectly simple if you remember that there
must be exactly three terminations: one on one end of the cable, one on the
far end, and the goat, terminated over the SCSI chain with a silver-handled
knife whilst burning *black* candles. --- Anthony DeBoer
More information about the Pkg-freeipa-devel
mailing list