Summary: | <dev-erlang/jose-1.11.10: DoS via a large p2c value in a JOSE header | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Randy Barlow <randy> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | ejabberd, jstein |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50966 | ||
See Also: | https://github.com/gentoo/gentoo/pull/36350 | ||
Whiteboard: | B3 [stable] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 941216 | ||
Bug Blocks: |
Description
Randy Barlow
2024-03-19 20:38:57 UTC
It looks like this has been fixed in 1.11.8(7?), the maintainer commented on an issue and said 1.11.8 but the Changelog says 1.11.7: https://github.com/potatosalad/erlang-jose/issues/156#issuecomment-2041536683 https://github.com/potatosalad/erlang-jose/blob/main/CHANGELOG.md#1117-2024-04-07 Might be best to bump to >1.11.7 to be safe. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=957c2bb065b3f4f80ac744074195680abac3fa57 commit 957c2bb065b3f4f80ac744074195680abac3fa57 Author: Christopher Fore <csfore@posteo.net> AuthorDate: 2024-04-22 02:03:32 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2024-05-03 20:57:34 +0000 dev-erlang/jose: add 1.11.10 - Tests not ran (restricted) - Fix trivial QA warning - Put S below SRC_URI Bug: https://bugs.gentoo.org/927310 Signed-off-by: Christopher Fore <csfore@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/36350 Signed-off-by: Florian Schmaus <flow@gentoo.org> dev-erlang/jose/Manifest | 1 + dev-erlang/jose/jose-1.11.10.ebuild | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) |