Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

golang-github-go-jose-go-jose: CVE-2024-28180

Related Vulnerabilities: CVE-2024-28180  

Source

Debian Bug report logs - #1065814
golang-github-go-jose-go-jose: CVE-2024-28180

version graph

Package: src:golang-github-go-jose-go-jose; Maintainer for src:golang-github-go-jose-go-jose is Debian Go Packaging Team <team+pkg-go@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 10 Mar 2024 07:42:02 UTC

Severity: grave

Tags: security, upstream

Found in version golang-github-go-jose-go-jose/3.0.1-2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>:
Bug#1065814; Package src:golang-github-go-jose-go-jose. (Sun, 10 Mar 2024 07:42:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>. (Sun, 10 Mar 2024 07:42:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: golang-github-go-jose-go-jose: CVE-2024-28180
Date: Sun, 10 Mar 2024 08:38:58 +0100
Source: golang-github-go-jose-go-jose
Version: 3.0.1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for golang-github-go-jose-go-jose.

CVE-2024-28180[0]:
| Package jose aims to provide an implementation of the Javascript
| Object Signing and Encryption set of standards. An attacker could
| send a JWE containing compressed data that used large amounts of
| memory and CPU when decompressed by Decrypt or DecryptMulti. Those
| functions now return an error if the decompressed data would exceed
| 250kB or 10x the compressed size (whichever is larger). This
| vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-28180
    https://www.cve.org/CVERecord?id=CVE-2024-28180
[1] https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
[2] https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a

Regards,
Salvtore

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Mar 10 11:51:26 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started