Package: ruby-json-jwt / 1.6.2-1+deb9u1
Metadata
Package | Version | Patches format |
---|---|---|
ruby-json-jwt | 1.6.2-1+deb9u1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
001 remove simplecov.patch | (download) |
spec/spec_helper.rb |
8 4 + 4 - 0 ! |
--- |
002 cve 2018 1000539.patch | (download) |
lib/json/jwe.rb |
2 2 + 0 - 0 ! |
[patch] verify the gcm auth tag length As described in https://github.com/ruby/openssl/issues/63 without this check, only a single byte needs to be supplied to make the authentication pass. This means that an attacker needs at most 256 attempts in order to forge a valid authentication tag. The JWE spec example prescribes 128 bits (16 bytes) for the tag: https://tools.ietf.org/html/rfc7516#section-3.3 |
1