Fedora has issued an advisory today (September 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/ Mageia 8 and 9 are also affected.
Source RPM: (none) => cjose-0.6.1-3.mga9.src.rpmCC: (none) => nicolas.salgueroWhiteboard: (none) => MGA9TOO, MGA8TOO
Version : 0.6.2.2 ... Security fix for CVE-2023-37464 No maintainer in view for this pkg, so assigning the update globally.
Status comment: (none) => Fixed in 0.6.2.2Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. (CVE-2023-37464) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37464 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/ ======================== Updated packages in 9/core/updates_testing: ======================== lib(64)cjose0-0.6.1-3.1.mga9 lib(64)cjose-devel-0.6.1-3.1.mga9 from SRPM: cjose-0.6.1-3.1.mga9.src.rpm Updated packages in 8/core/updates_testing: ======================== lib(64)cjose0-0.6.1-1.1.mga8 lib(64)cjose-devel-0.6.1-1.1.mga8 from SRPM: cjose-0.6.1-1.1.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => nicolas.salgueroStatus comment: Fixed in 0.6.2.2 => (none)
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOOAssignee: nicolas.salguero => qa-bugsVersion: Cauldron => 9
MGA8-64 Xfce on Acer Aspire 5253 No installation issues No wiki, no previous updates, so # urpmq --whatrequires lib64cjose0 apache-mod_auth_openidc apache-mod_auth_openidc apache-mod_auth_openidc lib64cjose-devel lib64cjose-devel lib64cjose0 and # urpmq --whatrequires-recursive lib64cjose0 apache-mod_auth_openidc apache-mod_auth_openidc apache-mod_auth_openidc lib64cjose-devel lib64cjose-devel lib64cjose0 No idea how to get any further here and googling does not bring me any further than the repos.
CC: (none) => herman.viaene