python-jwcrypto-0.8-5.el9

エラータID: AXSA:2024-7961:01

Release date: 
Thursday, May 30, 2024 - 14:57
Subject: 
python-jwcrypto-0.8-5.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The python-jwcrypto package provides Python implementations of the JSON Web Key (JWK), JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Token (JWT) JOSE (JSON Object Signing and Encryption) standards.

Security Fix(es):

* python-jwcrypto: malicious JWE token can cause denial of service (CVE-2024-28102)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-28102
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

Solution: 

Update packages.

CVEs: 
CVE-2024-28102
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.
Additional Info: 

N/A

Download: 

SRPMS
  1. python-jwcrypto-0.8-5.el9.src.rpm
    MD5: 7dbfa009df0e1c9406e4218aec523124
    SHA-256: 796fa2965a23e124a291585ccd9d19974dd60e72d4db1066dc356bea78d93107
    Size: 82.84 kB

Asianux Server 9 for x86_64
  1. python3-jwcrypto-0.8-5.el9.noarch.rpm
    MD5: 039c019dd1f2671632cffcd8a81d892c
    SHA-256: 977d1b6e889ed532d9fabcd69d5467684e7df03fdc5ba42d9e28a520fae1622c
    Size: 66.61 kB