Hi Steve, On Tue, Apr 30, 2024 at 05:19:22PM +0100, Steve McIntyre wrote: > Hi! > > On Fri, Mar 08, 2024 at 10:42:40PM +0100, Salvatore Bonaccorso wrote: > >Source: python-jwcrypto > >Version: 1.5.4-1 > >Severity: important > >Tags: security upstream > >X-Debbugs-Cc: car...@debian.org, Debian Security Team > ><t...@security.debian.org> > > > >Hi, > > > >The following vulnerability was published for python-jwcrypto. > > > >CVE-2024-28102[0]: > >| JWCrypto implements JWK, JWS, and JWE specifications using python- > >| cryptography. Prior to version 1.5.6, an attacker can cause a denial > >| of service attack by passing in a malicious JWE Token with a high > >| compression ratio. When the server processes this token, it will > >| consume a lot of memory and processing time. Version 1.5.6 fixes > >| this vulnerability by limiting the maximum token length. > > We wanted this fixed in Pexip, so I've taken a look at this bug. > > The upstream bugfix just needs a small rework so it applies cleanly to > the version in bookworm. Here's a debdiff for that that in case it's > useful.
The issue does not warrant a DSA, but would be great if fixed in bookworm if you have done already the work, via a upcoming point release. Can you propose the update in stable (unless the maintainers want to do it on their own)? Regards, Salvatore