Bug#1055010: golang-github-nats-io-nkeys: CVE-2023-46129

[Mathias Gibbens]

Control: block 1055011 by 1055010

  I've pushed the packaging updates for the latest release to salsa,
but the fix introduces a regression in golang-github-nats-io-jwt, which
I have reported upstream at https://github.com/nats-io/jwt/issues/211.

Mathias


signature.asc
Description: This is a digitally signed message part

Bug#1055010: golang-github-nats-io-nkeys: CVE-2023-46129

[Salvatore Bonaccorso]

Source: golang-github-nats-io-nkeys
Version: 0.4.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 
Control: clone -1 -2
Control: reassign -2 src:nats-server 2.10.3-1
Control: retitle -2 nats-server: CVE-2023-46129

Hi,

The following vulnerability was published for
golang-github-nats-io-nkeys, resp. nats-server.

CVE-2023-46129[0]:
| nkeys: xkeys Seal encryption used fixed key for all encryption


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46129
https://www.cve.org/CVERecord?id=CVE-2023-46129
[1] https://advisories.nats.io/CVE/secnote-2023-02.txt

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore