Headline
RHSA-2023:4418: Red Hat Security Advisory: mod_auth_openidc:2.3 security update
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw allows an attacker to provide a truncated Authentication Tag and modify the JWE.
Synopsis
Important: mod_auth_openidc:2.3 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Security Fix(es):
- cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE (CVE-2023-37464)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
- Red Hat Enterprise Linux Server - TUS 8.8 x86_64
- Red Hat Enterprise Linux for ARM 64 8 aarch64
- Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64
Fixes
- BZ - 2223295 - CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE
Red Hat Enterprise Linux for x86_64 8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
x86_64
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: f81743167ef86b7ea1d20358aded045ac9af401881d232db6c59583d5157eb90
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: a28024683a4a75d3f381db624de6c0c78f37dfba67d46ca08dced3bc8c907eec
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: 73c7cc45e7ea7c4e071920591bf8db8ac25f4b50d36912556e01f5d5dde9c31d
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: 51950f39c2cfd1a76aa40e37d9e47ab6dd9a93a74878156f2c72d4d190cd58d3
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 732f306cf0a702e8f7b0145d781408b36f65686cbeb7021ec6aeed8e86606725
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 97cbf2a7acb46ec0360dae9bede93944d861c97cb3d783b91d389bc42482f4a2
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 7fb340be6f167c6b4002aa90b776958783e6a524302b0049dcba1cc27fd88539
Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
x86_64
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: f81743167ef86b7ea1d20358aded045ac9af401881d232db6c59583d5157eb90
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: a28024683a4a75d3f381db624de6c0c78f37dfba67d46ca08dced3bc8c907eec
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: 73c7cc45e7ea7c4e071920591bf8db8ac25f4b50d36912556e01f5d5dde9c31d
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: 51950f39c2cfd1a76aa40e37d9e47ab6dd9a93a74878156f2c72d4d190cd58d3
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 732f306cf0a702e8f7b0145d781408b36f65686cbeb7021ec6aeed8e86606725
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 97cbf2a7acb46ec0360dae9bede93944d861c97cb3d783b91d389bc42482f4a2
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 7fb340be6f167c6b4002aa90b776958783e6a524302b0049dcba1cc27fd88539
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
s390x
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm
SHA-256: cfe001ed1d62d0120c94aaea9de6d10821f672d64571c9feb906b672cb1b3a07
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm
SHA-256: 7c570c52b89f4bbc764c9e846bc2bc95dbab511c914e99d47be1737971a3ff13
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm
SHA-256: 28805715d8c1258f3886c3fc689a0d68dd2c52af4559a5f7885726b0e210ced1
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm
SHA-256: 7d1f800ce04f6da24826f7564b12be2073532c84cfe7218ca6c8ffbd6a54272b
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.s390x.rpm
SHA-256: eb80a20004401532a61c774874e465fde5de02b535d60bf4323daf0b536e8317
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.s390x.rpm
SHA-256: 708a2fc0f10c91c45be1832529f5629c02257d6f818d6eaae5339cbc57be73da
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.s390x.rpm
SHA-256: b349b7399e7bdd6c0be13fe873f4b32626347b8a2adc6615ee231b8506838908
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
s390x
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm
SHA-256: cfe001ed1d62d0120c94aaea9de6d10821f672d64571c9feb906b672cb1b3a07
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm
SHA-256: 7c570c52b89f4bbc764c9e846bc2bc95dbab511c914e99d47be1737971a3ff13
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm
SHA-256: 28805715d8c1258f3886c3fc689a0d68dd2c52af4559a5f7885726b0e210ced1
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.s390x.rpm
SHA-256: 7d1f800ce04f6da24826f7564b12be2073532c84cfe7218ca6c8ffbd6a54272b
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.s390x.rpm
SHA-256: eb80a20004401532a61c774874e465fde5de02b535d60bf4323daf0b536e8317
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.s390x.rpm
SHA-256: 708a2fc0f10c91c45be1832529f5629c02257d6f818d6eaae5339cbc57be73da
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.s390x.rpm
SHA-256: b349b7399e7bdd6c0be13fe873f4b32626347b8a2adc6615ee231b8506838908
Red Hat Enterprise Linux for Power, little endian 8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
ppc64le
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 73ea8c4baa072f756ccecb2d0eec7a94941c29d5381dca60381520ab74ff18cc
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 740426b80bb62152230cf8555f99226c12fc59219ecfe9aff4fdaa4ee9052edb
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 069848f863d51bde2716dcb4af5f349233184ff5178f14252c73309b67b27f5d
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 6502c4c77addc64690d949843e4bbf0f18bfd0963096d4acc13a41817200e169
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm
SHA-256: c120b8f84fc0d6c9e675dc0169b00a4d735457a8fc6e9bdca6942210bbebb5c0
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm
SHA-256: 4fd6fc503dc553a8538c1a1316114d1c01ae54d0b43960f51d9012480eea714b
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm
SHA-256: 7c5e9a95b0dd3edbe36fed91ca0bf553dbec5dbf8350de5b44b5d774c0bf95ff
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
ppc64le
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 73ea8c4baa072f756ccecb2d0eec7a94941c29d5381dca60381520ab74ff18cc
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 740426b80bb62152230cf8555f99226c12fc59219ecfe9aff4fdaa4ee9052edb
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 069848f863d51bde2716dcb4af5f349233184ff5178f14252c73309b67b27f5d
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 6502c4c77addc64690d949843e4bbf0f18bfd0963096d4acc13a41817200e169
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm
SHA-256: c120b8f84fc0d6c9e675dc0169b00a4d735457a8fc6e9bdca6942210bbebb5c0
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm
SHA-256: 4fd6fc503dc553a8538c1a1316114d1c01ae54d0b43960f51d9012480eea714b
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm
SHA-256: 7c5e9a95b0dd3edbe36fed91ca0bf553dbec5dbf8350de5b44b5d774c0bf95ff
Red Hat Enterprise Linux Server - TUS 8.8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
x86_64
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: f81743167ef86b7ea1d20358aded045ac9af401881d232db6c59583d5157eb90
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: a28024683a4a75d3f381db624de6c0c78f37dfba67d46ca08dced3bc8c907eec
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: 73c7cc45e7ea7c4e071920591bf8db8ac25f4b50d36912556e01f5d5dde9c31d
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: 51950f39c2cfd1a76aa40e37d9e47ab6dd9a93a74878156f2c72d4d190cd58d3
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 732f306cf0a702e8f7b0145d781408b36f65686cbeb7021ec6aeed8e86606725
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 97cbf2a7acb46ec0360dae9bede93944d861c97cb3d783b91d389bc42482f4a2
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 7fb340be6f167c6b4002aa90b776958783e6a524302b0049dcba1cc27fd88539
Red Hat Enterprise Linux for ARM 64 8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
aarch64
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm
SHA-256: be9ad6434348e34eb20fb86f182b5790571197a48618d60ce98d1382d46da72f
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm
SHA-256: efb4902abe9d67d232dacaef8705605ae2b0dd25f4dd8fe87c96b5ba1300eca6
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm
SHA-256: 1368ba45ac7e67c5278306d63d1449e02609c76eaae8b544f6ddc0d75a0645ba
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm
SHA-256: f55c67ebb3fc7a72e34db6a999cc934a3b97100b46c5307216edbec98afefd55
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.aarch64.rpm
SHA-256: 316bc40f965956d84119f166576e3b012f5f5206ecd25fd8ccaa9ecb20eb35b1
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.aarch64.rpm
SHA-256: 30511770282ce499c2421589a68ad86fbe7d1c4d88e33a80db27a2aae07d25bb
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.aarch64.rpm
SHA-256: e1c999a91a7c75c62612bb27bd13fe495972351ae6e855ec46fb85d3daacfc1f
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
aarch64
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm
SHA-256: be9ad6434348e34eb20fb86f182b5790571197a48618d60ce98d1382d46da72f
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm
SHA-256: efb4902abe9d67d232dacaef8705605ae2b0dd25f4dd8fe87c96b5ba1300eca6
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm
SHA-256: 1368ba45ac7e67c5278306d63d1449e02609c76eaae8b544f6ddc0d75a0645ba
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.aarch64.rpm
SHA-256: f55c67ebb3fc7a72e34db6a999cc934a3b97100b46c5307216edbec98afefd55
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.aarch64.rpm
SHA-256: 316bc40f965956d84119f166576e3b012f5f5206ecd25fd8ccaa9ecb20eb35b1
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.aarch64.rpm
SHA-256: 30511770282ce499c2421589a68ad86fbe7d1c4d88e33a80db27a2aae07d25bb
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.aarch64.rpm
SHA-256: e1c999a91a7c75c62612bb27bd13fe495972351ae6e855ec46fb85d3daacfc1f
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
ppc64le
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 73ea8c4baa072f756ccecb2d0eec7a94941c29d5381dca60381520ab74ff18cc
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 740426b80bb62152230cf8555f99226c12fc59219ecfe9aff4fdaa4ee9052edb
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 069848f863d51bde2716dcb4af5f349233184ff5178f14252c73309b67b27f5d
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.ppc64le.rpm
SHA-256: 6502c4c77addc64690d949843e4bbf0f18bfd0963096d4acc13a41817200e169
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm
SHA-256: c120b8f84fc0d6c9e675dc0169b00a4d735457a8fc6e9bdca6942210bbebb5c0
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm
SHA-256: 4fd6fc503dc553a8538c1a1316114d1c01ae54d0b43960f51d9012480eea714b
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.ppc64le.rpm
SHA-256: 7c5e9a95b0dd3edbe36fed91ca0bf553dbec5dbf8350de5b44b5d774c0bf95ff
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8
SRPM
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.src.rpm
SHA-256: e03d3483d093fa7364d03349e8a9291f7b64558aff69a0d24c80e04922d73773
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.src.rpm
SHA-256: 86697ab801b2cea5799a56844a76ad580539352f540c8354c773cf576a432ed6
x86_64
cjose-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: f81743167ef86b7ea1d20358aded045ac9af401881d232db6c59583d5157eb90
cjose-debuginfo-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: a28024683a4a75d3f381db624de6c0c78f37dfba67d46ca08dced3bc8c907eec
cjose-debugsource-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: 73c7cc45e7ea7c4e071920591bf8db8ac25f4b50d36912556e01f5d5dde9c31d
cjose-devel-0.6.1-3.module+el8.8.0+19464+578f4546.x86_64.rpm
SHA-256: 51950f39c2cfd1a76aa40e37d9e47ab6dd9a93a74878156f2c72d4d190cd58d3
mod_auth_openidc-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 732f306cf0a702e8f7b0145d781408b36f65686cbeb7021ec6aeed8e86606725
mod_auth_openidc-debuginfo-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 97cbf2a7acb46ec0360dae9bede93944d861c97cb3d783b91d389bc42482f4a2
mod_auth_openidc-debugsource-2.4.9.4-1.module+el8.7.0+14797+4085fcb6.x86_64.rpm
SHA-256: 7fb340be6f167c6b4002aa90b776958783e6a524302b0049dcba1cc27fd88539
Related news
Ubuntu Security Notice 6307-1 - It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. An attacker could use this to cause a denial of service or might expose sensitive information.
Debian Linux Security Advisory 5472-1 - It was discovered that an incorrect implementation of AES GCM decryption in cjose, a C library implementing the JOSE standard may allow an attacker to provide a truncated Authentication Tag and modify the JWE object.
Red Hat Security Advisory 2023-4429-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4418-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4411-01 - CJose is C library implementing the Javascript Object Signing and Encryption.
Red Hat Security Advisory 2023-4410-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4409-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4408-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
An update for cjose is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw...
An update for cjose is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw allows an attacker to pro...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryptio...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorre...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets ...
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).