Package: ruby-json-jwt | Debian Sources

Package: ruby-json-jwt / 1.6.2-1+deb9u1

Metadata

Package	Version	Patches format
ruby-json-jwt	1.6.2-1+deb9u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
001 remove simplecov.patch \| (download)	spec/spec_helper.rb \| 8 4 + 4 - 0 ! 1 file changed, 4 insertions(+), 4 deletions(-)	---
002 cve 2018 1000539.patch \| (download)	lib/json/jwe.rb \| 2 2 + 0 - 0 ! spec/json/jwe_spec.rb \| 24 24 + 0 - 0 ! 2 files changed, 26 insertions(+)	[patch] verify the gcm auth tag length As described in https://github.com/ruby/openssl/issues/63 without this check, only a single byte needs to be supplied to make the authentication pass. This means that an attacker needs at most 256 attempts in order to forge a valid authentication tag. The JWE spec example prescribes 128 bits (16 bytes) for the tag: https://tools.ietf.org/html/rfc7516#section-3.3

Patch

File delta

Description

001 remove simplecov.patch | (download)

spec/spec_helper.rb | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

---

002 cve 2018 1000539.patch | (download)

lib/json/jwe.rb | 2 2 + 0 - 0 !
spec/json/jwe_spec.rb | 24 24 + 0 - 0 !
2 files changed, 26 insertions(+)

 [patch] verify the gcm auth tag length

As described in https://github.com/ruby/openssl/issues/63 without this check, only a single byte needs to be supplied to make the authentication pass. This means that an attacker needs at most 256 attempts in order to forge a valid authentication tag.

The JWE spec example prescribes 128 bits (16 bytes) for the tag: https://tools.ietf.org/html/rfc7516#section-3.3