jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5. https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314 https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q
Created apptainer tracking bugs for this issue: Affects: epel-all [bug 2268823] Affects: fedora-all [bug 2268827] Created buildah tracking bugs for this issue: Affects: fedora-all [bug 2268828] Created caddy tracking bugs for this issue: Affects: epel-all [bug 2268824] Affects: fedora-all [bug 2268829] Created containerd tracking bugs for this issue: Affects: fedora-all [bug 2268830] Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268831] Created cri-o:1.21/cri-o tracking bugs for this issue: Affects: epel-all [bug 2268825] Created cri-o:1.22/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268832] Created cri-o:1.23/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268833] Created cri-o:1.24/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268834] Created cri-o:1.25/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268835] Created cri-o:1.26/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268836] Created cri-o:1.27/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2268837] Created golang-github-acme-lego tracking bugs for this issue: Affects: fedora-all [bug 2268838] Created golang-github-in-toto tracking bugs for this issue: Affects: fedora-all [bug 2268839] Created golang-github-jose-3 tracking bugs for this issue: Affects: fedora-all [bug 2268840] Created golang-github-letsencrypt-pebble tracking bugs for this issue: Affects: fedora-all [bug 2268841] Created golang-gopkg-square-jose-2 tracking bugs for this issue: Affects: fedora-all [bug 2268842] Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2268843] Created jose tracking bugs for this issue: Affects: fedora-all [bug 2268852] Created moby-engine tracking bugs for this issue: Affects: fedora-all [bug 2268844] Created osbuild-composer tracking bugs for this issue: Affects: fedora-all [bug 2268845] Created podman tracking bugs for this issue: Affects: fedora-all [bug 2268847] Created podman-tui tracking bugs for this issue: Affects: fedora-all [bug 2268848] Created prometheus-podman-exporter tracking bugs for this issue: Affects: fedora-all [bug 2268849] Created singularity-ce tracking bugs for this issue: Affects: epel-all [bug 2268826] Affects: fedora-all [bug 2268850] Created skopeo tracking bugs for this issue: Affects: fedora-all [bug 2268851]
@ybuenos I see a bunch of bzs filed against go-based packages which have go-jose in their go.mod files. But the github advisory page linked in description doesn't mention anything about go-jose. Is there any guidance available on how to handle go-jose, assuming go-jose is affected at all?
The go-jose advisory is at https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3826 https://access.redhat.com/errata/RHSA-2024:3826
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3827 https://access.redhat.com/errata/RHSA-2024:3827
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3968 https://access.redhat.com/errata/RHSA-2024:3968
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2024:0045 https://access.redhat.com/errata/RHSA-2024:0045
This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591
This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.6 for RHEL 8 Red Hat OpenShift Service Mesh 2.6 for RHEL 9 Via RHSA-2024:5094 https://access.redhat.com/errata/RHSA-2024:5094
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5294 https://access.redhat.com/errata/RHSA-2024:5294
This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755
This issue has been addressed in the following products: RHODF-4.17-RHEL-9 Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676
This issue has been solved in RHACM 2.10.1 with this public advisory https://access.redhat.com/errata/RHBA-2024:1793
This issue has been solved in RHACM 2.9.4 via this public advisory https://access.redhat.com/errata/RHBA-2024:3593
This issue has been solved in MCE 2.5.2 via this public advisory https://access.redhat.com/errata/RHBA-2024:1775
This issue has been solved in MCE 2.4.5 via this public advisory https://access.redhat.com/errata/RHBA-2024:3555
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9181 https://access.redhat.com/errata/RHSA-2024:9181