Security Information / 2023 / Security Information -- DSA-5472-1 cjose

Debian Security Advisory

DSA-5472-1 cjose -- security update

Date Reported:

08 Aug 2023

Affected Packages:

cjose

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 1041423.
In Mitre's CVE dictionary: CVE-2023-37464.

More information:

It was discovered that an incorrect implementation of AES GCM decryption in cjose, a C library implementing the JOSE standard, may allow an attacker to provide a truncated Authentication Tag and modify the JWE object.

For the oldstable distribution (bullseye), this problem has been fixed in version 0.6.1+dfsg1-1+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in version 0.6.2.1-1+deb12u1.

We recommend that you upgrade your cjose packages.

For the detailed security status of cjose please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cjose