Headline
Debian Security Advisory 5472-1
Debian Linux Security Advisory 5472-1 - It was discovered that an incorrect implementation of AES GCM decryption in cjose, a C library implementing the JOSE standard may allow an attacker to provide a truncated Authentication Tag and modify the JWE object.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Debian Security Advisory DSA-5472-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
August 08, 2023 https://www.debian.org/security/faq
Package : cjose
CVE ID : CVE-2023-37464
Debian Bug : 1041423
It was discovered that an incorrect implementation of AES GCM decryption
in cjose, a C library implementing the JOSE standard may allow an attacker
to provide a truncated Authentication Tag and modify the JWE object.
For the oldstable distribution (bullseye), this problem has been fixed
in version 0.6.1+dfsg1-1+deb11u1.
For the stable distribution (bookworm), this problem has been fixed in
version 0.6.2.1-1+deb12u1.
We recommend that you upgrade your cjose packages.
For the detailed security status of cjose please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cjose
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTSlQcACgkQEMKTtsN8
TjZCgw//ajZImjIQAbYdWOQPQCn4rrHu3FOcoyuHUluEZhiziZxEcsO+kSCDJBqa
e6LDuKC5B3uvA4UQcfXPbi2QqdQGbMBE8chmHqqOL6ia86VJhUBU7USu+PVpVn1k
Qf8SWtHGC/7OijpbJA0KQT99GKLrQI3z1maKjxT9t9OiYd7v1leuXIHd0G/fBeR+
aSimNdY5vTfdXJMreUopCxiyyiKIXjBzC1rct3/yxCqfPpw0WUmsXq4CcY0F6v0U
zpFOiHPHDwUwPfshPs6mNZRlDqnANLYunKn9Cs9c2ZYwCgNqs6CU8NYEXAuqLOCl
xCxMF1wq96nKl1RVHFP3xdp3LP0CL8Gnvm6sQ9lnzThrEnm+1bNo3Zfq4CpykSo2
FAwV56miW2G8cyBXPLAQRW9237AZw7mGovxckEgF6gmV/Q2Hn4DXBDC231cCsjhY
JFWB45zAKIqP3Y+ZntugJF8Tjipb3LxuJcxCu2GCaAL35tp/+T+8k6QFmcSGDz0J
QpWZArFmnejyjddctAUkWJQD1CPZbp+EUxZZbgG0QeSdiLQqqNPXXxtCVpWbnzyX
+0JkKD0f/3+bRv0vokbWgtN5EAvJR+2au29Jb/xVwE4dgXdS/yVqLndaBkbHxsJ2
tPoleid7Qij4yFvXDjrTcjH7LN61UF1Q5prZNBKnFA3uUtNPbJ4=
=3VDm
-----END PGP SIGNATURE-----
Related news
Ubuntu Security Notice 6307-1 - It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. An attacker could use this to cause a denial of service or might expose sensitive information.
Red Hat Security Advisory 2023-4429-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of ...
Red Hat Security Advisory 2023-4411-01 - CJose is C library implementing the Javascript Object Signing and Encryption.
Red Hat Security Advisory 2023-4410-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4409-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4408-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw...
An update for cjose is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw allows an attacker to pro...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryptio...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets ...