jose-10-2.el8_10.3

エラータID: AXSA:2024-8659:01

Release date: 
Thursday, August 15, 2024 - 14:49
Subject: 
jose-10-2.el8_10.3
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Jose is a C-language implementation of the Javascript Object Signing and Encryption standards. The jose package is a dependency of the clevis and tang packages, together providing Network Bound Disk Encryption (NBDE) in Asianux Server.

Security Fix(es):

* jose: resource exhaustion (CVE-2024-28176)
* jose: Denial of service due to uncontrolled CPU consumption (CVE-2023-50967)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-50967
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.

Solution: 

Update packages.

CVEs: 
CVE-2023-50967
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
Additional Info: 

N/A

Download: 

SRPMS
  1. jose-10-2.el8_10.3.src.rpm
    MD5: 77a7177277677d91d62886333d20b266
    SHA-256: 7286551d21c10c13d9d6c6aeca3cbfefe532758e43b22bb609900cbe9d4a5c77
    Size: 410.74 kB

Asianux Server 8 for x86_64
  1. jose-10-2.el8_10.3.x86_64.rpm
    MD5: e8a9aa54f0d3d36bc40f14849efacad7
    SHA-256: c30ead58e3052dc64d2b679b83b5e707bd224d16ad610734890ee3cf3d0ff5c6
    Size: 56.78 kB
  2. libjose-10-2.el8_10.3.i686.rpm
    MD5: 9b3b06227a6f884c1fe42734543fd354
    SHA-256: 505e8d142757bfeb0c42dde4b48e66ec5fe5bebf7c1860d06e63f8966e5adeb4
    Size: 64.86 kB
  3. libjose-10-2.el8_10.3.x86_64.rpm
    MD5: edbe6baba2a29bf5c8aee2793cdb46a6
    SHA-256: 2acae2934f0e9aae16cc4818dfb11f8567f042e4278195beb299a59783892bce
    Size: 63.25 kB
  4. libjose-devel-10-2.el8_10.3.i686.rpm
    MD5: e343704dba764a4cf66cd41573b9547d
    SHA-256: 47dd642965624ff16fd4c65101527cd78c3005672d5db19aa5f3c6221a2da487
    Size: 35.12 kB
  5. libjose-devel-10-2.el8_10.3.x86_64.rpm
    MD5: 5e0a9bcd16582c8bcf173edc62780776
    SHA-256: ce942cc7d5aa7e1dde3788108a6ee9f757410ba2604d0348f2b5e73600949951
    Size: 35.09 kB