Hi, On Sun, Jun 26, 2022 at 05:36:42PM -0400, Nicolas Mora wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: [email protected] > Usertags: pu > > [ Reason ] > Fix possible buffer overflow when decrypting forged jwe with invalid iv or > cypherkey > > [ Impact ] > program might crash or execute arbitrary code > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > Check iv and cypherkey len before decoding them > > [ Other info ] > CVE id pending
Looks the CVE is CVE-2022-32096 now: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32096 Regards, Salvatore
