Your message dated Sun, 18 Feb 2024 13:24:13 +0000
with message-id <[email protected]>
and subject line Bug#1063534: fixed in libjwt 1.17.0-1
has caused the Debian Bug report #1063534,
regarding libjwt: CVE-2024-25189
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1063534: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063534
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libjwt
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for libjwt.
CVE-2024-25189[0]:
| libjwt 1.15.3 uses strcmp (which is not constant time) to verify
| authentication, which makes it easier to bypass authentication via a
| timing side channel.
The report is
https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md
but it doesn't seem to have been reported upstream yet.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-25189
https://www.cve.org/CVERecord?id=CVE-2024-25189
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libjwt
Source-Version: 1.17.0-1
Done: Thorsten Alteholz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libjwt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated libjwt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 18 Feb 2024 13:21:00 +0100
Source: libjwt
Architecture: source
Version: 1.17.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian IoT Maintainers
<[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Closes: 1063534
Changes:
libjwt (1.17.0-1) experimental; urgency=medium
.
* New upstream release.
* Contains fix for CVE-2024-25189 (Closes: #1063534)
* update symbols file
Checksums-Sha1:
7b4963989b01c1c81744af8852e37f3155aeac0e 2357 libjwt_1.17.0-1.dsc
3f34d543213a9e36720cc097138cb9669f09e578 94260 libjwt_1.17.0.orig.tar.xz
b3e8fb0d61228d3a34481f1447cf13ff4ac60df2 7024 libjwt_1.17.0-1.debian.tar.xz
a0811f86dcdaac9fe9b5449c504e5039c11951d5 8739 libjwt_1.17.0-1_amd64.buildinfo
Checksums-Sha256:
51ad7f431235f9265c3af74a578a934ad6be2f7f92e98fd530804a9b3280ee84 2357
libjwt_1.17.0-1.dsc
ab1eaa34dbc4e8f3700810fedbb7c63de8b91aba967b002a1b4b78d99d406b7b 94260
libjwt_1.17.0.orig.tar.xz
1f50a8dd2ee21be22775063d9fa08ea42de491e293756396c31c9d94adce5c9a 7024
libjwt_1.17.0-1.debian.tar.xz
918ef938ecbe8fa81530d9c4d3b1a4a50d1c743a3f4b4053bbb1d770ebf3d711 8739
libjwt_1.17.0-1_amd64.buildinfo
Files:
9001ab84f5bf9c8c148ebd9c2b1af4df 2357 devel optional libjwt_1.17.0-1.dsc
cc73cfc393fe911634d42f33761864b9 94260 devel optional libjwt_1.17.0.orig.tar.xz
89f178bb1ba9aff8409937eda84ebd2a 7024 devel optional
libjwt_1.17.0-1.debian.tar.xz
4b55bd9456b50ebd321b014ca9be4621 8739 devel optional
libjwt_1.17.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmXR//xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR5zeEACl9s/evcWPISzz+3I5lPC8BT187VWW
LaWHc3Rxvq6hf2z/1UEKhwKO2SohHQQNFk0Uq0CFVJz2s3iC3iYW8wrKhhm8bUHa
DQPLr1jjZynKhpcefWFe8480PDep0CntrVJoTN9Ut+hXpdY9wR3JspzvOwhuWLUr
/FmgEK0ZhcAZMhMqEnjHQfG/muA1yzpiER0dJ76UcILZcPgQTtwxpcBpurJ3wYQH
G9j34EVmTKvAo9JQZAZX8JVwWo6FVv5ikbm3u7UQL8UNYl3AEEtBfyjmmn6Yu6fr
zzUHFKtzTkRbT2siyU5Va4d/FligDxeUKfNy7bJTOhP4+OBI4N5iwFZiHk5wpWkS
9ovIJveBOaYYnqUORQEriiNSAhtga/13ufGUEoeFq6IHK7ZAnFUTIs/bOkk6xMtt
eA5TUFgxmB2NTihbAmBObJJvvZGQpwLCQlah6E6dde+n2vOOCWhoQFzFGBAPR6jq
1M8S7XY+uYCadLL1d7UQ+zhATiuPWNKkU4aPN9Oban0hkIaqx+17k4vsC1MdHzAF
obCJmXCJeMtv6RvvKkQgIwGU7oQMdJrGsEd/4eEXIwAPXI4ucTDA+lo5UW7K0fMH
YFzTUuFVNygB3r8ves9wuA1sOa3dVKqWTM3Y71beXe1cg6Y01k3Eepw3n0rF6w7D
5KBgmvrKCpPA/w==
=ikxJ
-----END PGP SIGNATURE-----
pgpeX6iphFolJ.pgp
Description: PGP signature
--- End Message ---
