Fedora has issued an advisory today (September 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/ Mageia 8 and 9 are also affected.
Whiteboard: (none) => MGA9TOO, MGA8TOOSource RPM: (none) => cjose-0.6.1-3.mga9.src.rpmCC: (none) => nicolas.salguero
Version : 0.6.2.2 ... Security fix for CVE-2023-37464 No maintainer in view for this pkg, so assigning the update globally.
Assignee: bugsquad => pkg-bugsStatus comment: (none) => Fixed in 0.6.2.2
Suggested advisory: ======================== The updated packages fix a security vulnerability: The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. (CVE-2023-37464) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37464 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/ ======================== Updated packages in 9/core/updates_testing: ======================== lib(64)cjose0-0.6.1-3.1.mga9 lib(64)cjose-devel-0.6.1-3.1.mga9 from SRPM: cjose-0.6.1-3.1.mga9.src.rpm Updated packages in 8/core/updates_testing: ======================== lib(64)cjose0-0.6.1-1.1.mga8 lib(64)cjose-devel-0.6.1-1.1.mga8 from SRPM: cjose-0.6.1-1.1.mga8.src.rpm
Status comment: Fixed in 0.6.2.2 => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => nicolas.salguero
Assignee: nicolas.salguero => qa-bugsWhiteboard: MGA9TOO, MGA8TOO => MGA8TOOVersion: Cauldron => 9
MGA8-64 Xfce on Acer Aspire 5253 No installation issues No wiki, no previous updates, so # urpmq --whatrequires lib64cjose0 apache-mod_auth_openidc apache-mod_auth_openidc apache-mod_auth_openidc lib64cjose-devel lib64cjose-devel lib64cjose0 and # urpmq --whatrequires-recursive lib64cjose0 apache-mod_auth_openidc apache-mod_auth_openidc apache-mod_auth_openidc lib64cjose-devel lib64cjose-devel lib64cjose0 No idea how to get any further here and googling does not bring me any further than the repos.
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #3) > MGA8-64 Xfce on Acer Aspire 5253 > No installation issues > No wiki, no previous updates, so > # urpmq --whatrequires lib64cjose0 > apache-mod_auth_openidc > apache-mod_auth_openidc > apache-mod_auth_openidc > lib64cjose-devel > lib64cjose-devel > lib64cjose0 > and > # urpmq --whatrequires-recursive lib64cjose0 > apache-mod_auth_openidc > apache-mod_auth_openidc > apache-mod_auth_openidc > lib64cjose-devel > lib64cjose-devel > lib64cjose0 > No idea how to get any further here and googling does not bring me any > further than the repos. Any suggestions for how to test this update? Asking for feedback
Keywords: (none) => feedbackCC: (none) => marja11
(In reply to Herman Viaene from comment #3) > MGA8-64 Xfce on Acer Aspire 5253 > No installation issues > No wiki, no previous updates, so > # urpmq --whatrequires lib64cjose0 > apache-mod_auth_openidc > apache-mod_auth_openidc > apache-mod_auth_openidc > lib64cjose-devel > lib64cjose-devel > lib64cjose0 > and > # urpmq --whatrequires-recursive lib64cjose0 > apache-mod_auth_openidc > apache-mod_auth_openidc > apache-mod_auth_openidc > lib64cjose-devel > lib64cjose-devel > lib64cjose0 > No idea how to get any further here and googling does not bring me any > further than the repos. I found this https://groups.google.com/g/mod_auth_openidc/c/-7XkKimba2I , but is too much for me
MGA8-64 Plasma in VirtualBox. For lack of anything else to try, I decided to look for previous bugs for apache-mod_auth_openidc. I installed that, which brought in lib64cjose0, then used qarepo to update lib64cjose0. There were no installation issues. Then I used the basic test found in bug25810: [root@localhost ~]# systemctl start httpd [root@localhost ~]# systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2023-12-17 16:06:26 EST; 22s ago Main PID: 18862 (httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 6 (limit: 3566) Memory: 7.7M CPU: 72ms CGroup: /system.slice/httpd.service ├─18862 /usr/sbin/httpd -DFOREGROUND ├─18864 /usr/sbin/httpd -DFOREGROUND ├─18865 /usr/sbin/httpd -DFOREGROUND ├─18866 /usr/sbin/httpd -DFOREGROUND ├─18867 /usr/sbin/httpd -DFOREGROUND └─18868 /usr/sbin/httpd -DFOREGROUND Dec 17 16:06:26 localhost systemd[1]: Starting The Apache HTTP Server... Dec 17 16:06:26 localhost systemd[1]: Started The Apache HTTP Server. Dec 17 16:06:26 localhost httpd[18862]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message Then I pointed firefox toward localhost, receiving a page that said "It works!" That and a clean install was enough for that bug, so I'm using it here, too. This is good on MGA8.
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OKCC: (none) => andrewsfarmKeywords: feedback => (none)
Mga9-64 Plasma with an i5-2500, Intel graphics. Same procedure as comment 6, with the same results. Calling this good for MGA9. Validating. Advisory in comment 2.
Keywords: (none) => validated_updateWhiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OKCC: (none) => sysadmin-bugs
CVE: (none) => CVE-2023-37464
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0350.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED