It was discovered that an incorrect implementation of AES GCM decryption
in cjose, a C library implementing the JOSE standard may allow an attacker
to provide a truncated Authentication Tag and modify the JWE object.
For the oldstable distribution (bullseye), this problem has been fixed
in version 0.6.1+dfsg1-1+deb11u1.
For the stable distribution (bookworm), this problem has been fixed in
We recommend that you upgrade your cjose packages.