Description of problem:
A security in python-jwcrypto was found. The jwcrypto implementation of the RSA1_5 algorithm is vulnerable to the Million Message Attack described in RFC 3128. RSA with PKCS1v1.5 is used by Custodia and ipapython.secrets
Version-Release number of selected component (if applicable):
Upstream bug report: https://github.com/latchset/jwcrypto/pull/66
Upstream fix: https://github.com/latchset/jwcrypto/pull/66
We need this fixed ASAP because it opens a door for an attack. The change is simple and minor. Patch is provided.
Changing BZ description to match what was fixed in code. We started using safer padding method.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.