jose-10-2.el8_10.3
エラータID: AXSA:2024-8659:01
リリース日:
2024/08/15 Thursday - 14:49
題名:
jose-10-2.el8_10.3
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- jose の PBKDF2 アルゴリズムの実装には、リモートの攻撃者
により、大きな PBES2 カウント値を用いたラッピングキーの
算出の繰り返しを介して、サービス拒否攻撃 (CPU リソースの
枯渇) を可能とする脆弱性が存在します。(CVE-2023-50967)
- jose の JSON Web Encryption 復号化インターフェースには、
リモートの攻撃者により、細工された JSON Web Encryption
データを介して、サービス拒否攻撃 (CPU リソースおよび
メモリの枯渇) を可能とする脆弱性が存在します。
(CVE-2024-28176)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-50967
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
追加情報:
N/A
ダウンロード:
SRPMS
- jose-10-2.el8_10.3.src.rpm
MD5: 77a7177277677d91d62886333d20b266
SHA-256: 7286551d21c10c13d9d6c6aeca3cbfefe532758e43b22bb609900cbe9d4a5c77
Size: 410.74 kB
Asianux Server 8 for x86_64
- jose-10-2.el8_10.3.x86_64.rpm
MD5: e8a9aa54f0d3d36bc40f14849efacad7
SHA-256: c30ead58e3052dc64d2b679b83b5e707bd224d16ad610734890ee3cf3d0ff5c6
Size: 56.78 kB - libjose-10-2.el8_10.3.i686.rpm
MD5: 9b3b06227a6f884c1fe42734543fd354
SHA-256: 505e8d142757bfeb0c42dde4b48e66ec5fe5bebf7c1860d06e63f8966e5adeb4
Size: 64.86 kB - libjose-10-2.el8_10.3.x86_64.rpm
MD5: edbe6baba2a29bf5c8aee2793cdb46a6
SHA-256: 2acae2934f0e9aae16cc4818dfb11f8567f042e4278195beb299a59783892bce
Size: 63.25 kB - libjose-devel-10-2.el8_10.3.i686.rpm
MD5: e343704dba764a4cf66cd41573b9547d
SHA-256: 47dd642965624ff16fd4c65101527cd78c3005672d5db19aa5f3c6221a2da487
Size: 35.12 kB - libjose-devel-10-2.el8_10.3.x86_64.rpm
MD5: 5e0a9bcd16582c8bcf173edc62780776
SHA-256: ce942cc7d5aa7e1dde3788108a6ee9f757410ba2604d0348f2b5e73600949951
Size: 35.09 kB