mod_auth_openidc:2.3 security update
エラータID: AXSA:2023-6296:01
リリース日:
2023/08/04 Friday - 06:43
題名:
mod_auth_openidc:2.3 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- mod_auth_openidc の AES GCM 復号化処理には、JSON Web Encryption
形式のデータから取得した認証タグの長さを誤って処理してしまう問題が
あるため、リモートの攻撃者により、細工された認証タグを介して、JSON
Web Encryption 形式のデータの改竄を可能とする脆弱性が存在します。
(CVE-2023-37464)
Modularity name: mod_auth_openidc
Stream name: 2.3
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-37464
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).
追加情報:
N/A
ダウンロード:
SRPMS
- cjose-0.6.1-3.module+el8+1651+93bcdc1a.src.rpm
MD5: 089c83a774572fdb486c7923e1ed28ef
SHA-256: 374e8229d650f98126994ec048262d21efbbc48f36d577ab1a614a4e30dd3dda
Size: 1.52 MB - mod_auth_openidc-2.4.9.4-1.module+el8+1651+93bcdc1a.src.rpm
MD5: b5842556cbf75da1b5ff364f0e3f51d6
SHA-256: c86782a4e9443b899292589f713901bcc8b24d99026cf129fa526ffd9a731b07
Size: 269.11 kB
Asianux Server 8 for x86_64
- cjose-0.6.1-3.module+el8+1651+93bcdc1a.x86_64.rpm
MD5: 14aed8a6b1e51fd04d94685034953ebc
SHA-256: 39a092e1403d2ff12a416ca90c134560be3e0277feab02ff20a32f442de65c5a
Size: 183.38 kB - cjose-debugsource-0.6.1-3.module+el8+1651+93bcdc1a.x86_64.rpm
MD5: 0333eed27de9b61100be8e33cd87a506
SHA-256: a4e040a5ddb81d9ced2eb97e43ca581d0869e5e28114f9e83c00cd7990a9a2ae
Size: 41.49 kB - cjose-devel-0.6.1-3.module+el8+1651+93bcdc1a.x86_64.rpm
MD5: db1cc0e2ce6c7f1732afc61671d80ee9
SHA-256: 19cf4bb92831b90fd2775b5e484931d8e0cb31c816f2e36647ade68d9a416c2d
Size: 17.60 kB - mod_auth_openidc-2.4.9.4-1.module+el8+1651+93bcdc1a.x86_64.rpm
MD5: 4779df828173622007a602638b15e979
SHA-256: 013adb73be54596290be2c55f05cd0376cdb82b066b335859c3d5672a41e7c29
Size: 195.09 kB - mod_auth_openidc-debugsource-2.4.9.4-1.module+el8+1651+93bcdc1a.x86_64.rpm
MD5: 400dba49177d64e5d94b631586115b80
SHA-256: 136805dea5e726d2f4c1f13c5f6cad94a00307657bf0e98751438b9744176b82
Size: 149.12 kB