1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1065814: golang-github-go-jose-go-jose: CVE-2024-28180

    From Salvatore Bonaccorso@21:1/5 to All on Sun Mar 10 08:50:01 2024
    Source: golang-github-go-jose-go-jose
    Version: 3.0.1-2
    Severity: grave
    Tags: security upstream
    Justification: user security hole
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for golang-github-go-jose-go-jose.

    CVE-2024-28180[0]:
    | Package jose aims to provide an implementation of the Javascript
    | Object Signing and Encryption set of standards. An attacker could
    | send a JWE containing compressed data that used large amounts of
    | memory and CPU when decompressed by Decrypt or DecryptMulti. Those
    | functions now return an error if the decompressed data would exceed
    | 250kB or 10x the compressed size (whichever is larger). This
    | vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2024-28180
    https://www.cve.org/CVERecord?id=CVE-2024-28180
    [1] https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g [2] https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a

    Regards,
    Salvtore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Wed Mar 13 16:30:01 2024
    This is a multi-part message in MIME format...

    Your message dated Wed, 13 Mar 2024 15:22:00 +0000
    with message-id <E1rkQQa-0079Ia-Jy@fasolo.debian.org>
    and subject line Bug#1065814: fixed in golang-github-go-jose-go-jose 4.0.1-1 has caused the Debian Bug report #1065814,
    regarding golang-github-go-jose-go-jose: CVE-2024-28180
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1065814: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065814
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 10 Mar 2024 07:39:03 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-7.9 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    HELO_LH_HOME,KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RDNS_DYNAMIC,SPF_HELO_NONE,
    SPF_NONE,T_SCC_BODY_TEXT_LINE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 28; hammy, 149; neutral, 55; spammy,
    1. spammytokens:0.945-+--H*r:bugs.debian.org
    hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
    0.000-+--X-Debbugs-Cc, 0.000-+--sk:golang, 0.000-+--sk:golang- Return-path: <carnil@debian.org>
    Received: from c-82-192-242-114.customer.ggaweb.ch ([82.192.242.114]:50360 helo=eldamar.lan)
    by buxtehude.debian.org