Hi Timo, On Thu, May 02, 2024 at 09:07:08AM +0300, Timo Aaltonen wrote: >Steve McIntyre kirjoitti 30.4.2024 klo 19.19: >> Hi! >> >> On Fri, Mar 08, 2024 at 10:42:40PM +0100, Salvatore Bonaccorso wrote: >> > Source: python-jwcrypto >> > Version: 1.5.4-1 >> > Severity: important >> > Tags: security upstream >> > X-Debbugs-Cc: car...@debian.org, Debian Security Team >> > <t...@security.debian.org> >> > >> > Hi, >> > >> > The following vulnerability was published for python-jwcrypto. >> > >> > CVE-2024-28102[0]: >> > | JWCrypto implements JWK, JWS, and JWE specifications using python- >> > | cryptography. Prior to version 1.5.6, an attacker can cause a denial >> > | of service attack by passing in a malicious JWE Token with a high >> > | compression ratio. When the server processes this token, it will >> > | consume a lot of memory and processing time. Version 1.5.6 fixes >> > | this vulnerability by limiting the maximum token length. >> >> We wanted this fixed in Pexip, so I've taken a look at this bug. >> >> The upstream bugfix just needs a small rework so it applies cleanly to >> the version in bookworm. Here's a debdiff for that that in case it's >> useful. > >I've pushed 1.5.6 to sid now, feel free to upload the proposed version for >bookworm, thanks.
I've asked the release team to approve, ready to upload when they say so. I've also pushed a bookworm branch and a tag for this release to https://salsa.debian.org/93sam/python-jwcrypto/-/tree/bookworm if you'd like to merge those. -- Steve McIntyre, Cambridge, UK. st...@einval.com Getting a SCSI chain working is perfectly simple if you remember that there must be exactly three terminations: one on one end of the cable, one on the far end, and the goat, terminated over the SCSI chain with a silver-handled knife whilst burning *black* candles. --- Anthony DeBoer
