Your message dated Mon, 30 Oct 2023 04:34:03 +0000 with message-id <e1qxjyv-007xyt...@fasolo.debian.org> and subject line Bug#1054872: fixed in libjose4j-java 0.7.12-2 has caused the Debian Bug report #1054872, regarding libjose4j-java: CVE-2023-31582 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054872 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libjose4j-java X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libjose4j-java. CVE-2023-31582[0]: | jose4j before v0.9.3 allows attackers to set a low iteration count | of 1000 or less. https://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then Fixed by: https://bitbucket.org/b_c/jose4j/commits/1929fe3 (jose4j/0.9.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-31582 https://www.cve.org/CVERecord?id=CVE-2023-31582 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: libjose4j-java Source-Version: 0.7.12-2 Done: tony mancill <tmanc...@debian.org> We believe that the bug you reported is fixed in the latest version of libjose4j-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill <tmanc...@debian.org> (supplier of updated libjose4j-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 29 Oct 2023 20:48:59 -0700 Source: libjose4j-java Architecture: source Version: 0.7.12-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: tony mancill <tmanc...@debian.org> Closes: 1054872 Changes: libjose4j-java (0.7.12-2) unstable; urgency=medium . * Team upload. * Add patch to require higher iteration count and minimum salt length to address CVE-2023-31582 (Closes: #1054872) Checksums-Sha1: 3115eb50f2144ebbb7d06ab76e711e9b70eea76b 2277 libjose4j-java_0.7.12-2.dsc 465bc91a670a154f6f9462198695ab324dcf6c4f 4448 libjose4j-java_0.7.12-2.debian.tar.xz c7cd5da3fcf25b58048f7b1978967e88fe6dd88c 14416 libjose4j-java_0.7.12-2_amd64.buildinfo Checksums-Sha256: 656c5bcafdee54cf189d4504336b6e480549e0098f29cfa7f07c7e05c7e719a5 2277 libjose4j-java_0.7.12-2.dsc d748542dc28977bc77ab92da78ea1468d73d57383a63ffbba336a320757e7415 4448 libjose4j-java_0.7.12-2.debian.tar.xz bb4070f126944a31fec614eec454eaa8facd90074e2e07988a563fee6069e105 14416 libjose4j-java_0.7.12-2_amd64.buildinfo Files: 0e95d52a28c9ab5b561845e23f7a1547 2277 java optional libjose4j-java_0.7.12-2.dsc 0d9dbf1ee07bbfbb249d8d7b841058e6 4448 java optional libjose4j-java_0.7.12-2.debian.tar.xz 8b57cfda6d59e30bbc17e28cb2b0821f 14416 java optional libjose4j-java_0.7.12-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmU/LMAUHHRtYW5jaWxs QGRlYmlhbi5vcmcACgkQIdIFiZdLPpYGkA//djanTgExTGxA20K3EVHRkSaIpWu4 f7nk/6FSfkqh9dsw9V5am23FY8ADMktUPnAlupK29AX4fhf2gtbx8cEuDMI+nnUh DfXLIkl2bWVaYuHrpGaCbhfozEkUfCszyrjbHz+Dbv3vW4Hyowaci9tCOWFp6W/0 /BCD2hf1R5bZPtYTVA82pUifcL5eWAT+klKhCJghjx0dgZhp1uXeFxCeaWRLPcuJ +FilAudx0Wp9jhLrTdJ5UEmyZNl1pxX/Zgp6U6Gjygne83TG50fyCCCkIieB3ukQ mH8tZv04Nn0y0mEX4f+j/TZhDLPifDvLm0+mJQHZv2KYKwyyJS4cEAiXwYIt8cod F1NHGPd5ufX07XO/PzcuBaeLStmp6igSWxBZBsPJrjK6Wm4AYrWu8DagRVL1Fhz7 Vj5SvleZSrOVFRpMrLrusr1ycOGuMOrm+9LFfrQrDDI39jo8EqeXSzCY/5lJAOYA LUgQs4CowAjfupLAoS9C4sV91APjdm1RpfOa860PWAjdfOXvHFVYcDh7hbxy9/gw tabiH3h08rJaiZUkUta8GwYCJBoO8FV7D3wsLrW5AbG+9D59oH0JZILPRN/VdWeY K/x+wp0LZfRADIcFznDpF1lIaL1OikM8gkFbJL9HPISM+te6qNu0XRJqCjK454/9 tOSc+2cMPXIBrjg= =/GKE -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
