jose-14-1.el9

エラータID: AXSA:2024-9219:02

Release date: 
Thursday, December 12, 2024 - 15:28
Subject: 
jose-14-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Jose is a C-language implementation of the Javascript Object Signing and Encryption standards. The jose package is a dependency of the clevis and tang packages, together providing Network Bound Disk Encryption (NBDE) in MIRACLE LINUX.

Security Fix(es):

* jose: resource exhaustion (CVE-2024-28176)
* jose: Denial of service due to uncontrolled CPU consumption (CVE-2023-50967)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.5 Release Notes linked from the References section.

CVE-2023-50967
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.

Solution: 

Update packages.

CVEs: 
CVE-2023-50967
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
Additional Info: 

N/A

Download: 

SRPMS
  1. jose-14-1.el9.src.rpm
    MD5: d4503150e84c1a9c0df8517f31e71b95
    SHA-256: 578bee46da4dc3dafc90091fd73222a941efa565ed6c7c579af72534a39f9650
    Size: 755.87 kB

Asianux Server 9 for x86_64
  1. jose-14-1.el9.x86_64.rpm
    MD5: 4545419d80d146dd58a25fe56bffb093
    SHA-256: 0d04269db7166f087d32278d611fd27ba057997f5f804aa112e8607cecb543bd
    Size: 71.74 kB
  2. libjose-14-1.el9.i686.rpm
    MD5: 872b692dfdea492a530f44734e8e9e56
    SHA-256: ed56eb04098aff071e370a8bbb3d99ba20a9e8241fa973bee7ab738298ba3ada
    Size: 64.07 kB
  3. libjose-14-1.el9.x86_64.rpm
    MD5: 9b5d381a5fa55d0fa5e4f2b9921bf603
    SHA-256: 5b3631514c1439a9531531c61e588e4fb4fc83537a4f88f70f2a5ff12a5dfa18
    Size: 62.82 kB
  4. libjose-devel-14-1.el9.i686.rpm
    MD5: b6d40ec7049745679f84ac19fa012fa1
    SHA-256: 5b8f60b49315ffd4e84646fe1ebde4e38b63cf48e0d8d85b964841de8467ad7f
    Size: 37.69 kB
  5. libjose-devel-14-1.el9.x86_64.rpm
    MD5: 9df39923c6f2a26893e3fd580d4e99f3
    SHA-256: 698f18aae9f6a6ea33019dda6af84e4856cd15e3f2be461b2f07d1ec2146431b
    Size: 37.66 kB