Описание
Security update for rubygem-json-jwt
This update for rubygem-json-jwt fixes the following issues:
-
New upstream release 1.16.6, see bundled CHANGELOG.md
-
Remove padding oracle by @btoews in https://github.com/nov/json-jwt/pull/109
-
Fixes CVE-2023-51774 boo#1220727
-
updated to version 1.11.0
- no changelog found
- Fixes CVE-2019-18848 boo#1156649
Список пакетов
SUSE Package Hub 15 SP5
ruby2.5-rubygem-aes_key_wrap-1.1.0-bp155.2.1
ruby2.5-rubygem-aes_key_wrap-doc-1.1.0-bp155.2.1
ruby2.5-rubygem-json-jwt-1.16.6-bp155.3.3.1
ruby2.5-rubygem-json-jwt-doc-1.16.6-bp155.3.3.1
openSUSE Leap 15.5
ruby2.5-rubygem-aes_key_wrap-1.1.0-bp155.2.1
ruby2.5-rubygem-aes_key_wrap-doc-1.1.0-bp155.2.1
ruby2.5-rubygem-json-jwt-1.16.6-bp155.3.3.1
ruby2.5-rubygem-json-jwt-doc-1.16.6-bp155.3.3.1
Ссылки
- E-Mail link for openSUSE-SU-2025:0004-1
- SUSE Security Ratings
- SUSE Bug 1156649
- SUSE Bug 1220727
- SUSE CVE CVE-2019-18848 page
- SUSE CVE CVE-2023-51774 page
Описание
The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string.
Затронутые продукты
SUSE Package Hub 15 SP5:ruby2.5-rubygem-aes_key_wrap-1.1.0-bp155.2.1
SUSE Package Hub 15 SP5:ruby2.5-rubygem-aes_key_wrap-doc-1.1.0-bp155.2.1
SUSE Package Hub 15 SP5:ruby2.5-rubygem-json-jwt-1.16.6-bp155.3.3.1
SUSE Package Hub 15 SP5:ruby2.5-rubygem-json-jwt-doc-1.16.6-bp155.3.3.1
Ссылки
- CVE-2019-18848
- SUSE Bug 1156649
Описание
The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.
Затронутые продукты
SUSE Package Hub 15 SP5:ruby2.5-rubygem-aes_key_wrap-1.1.0-bp155.2.1
SUSE Package Hub 15 SP5:ruby2.5-rubygem-aes_key_wrap-doc-1.1.0-bp155.2.1
SUSE Package Hub 15 SP5:ruby2.5-rubygem-json-jwt-1.16.6-bp155.3.3.1
SUSE Package Hub 15 SP5:ruby2.5-rubygem-json-jwt-doc-1.16.6-bp155.3.3.1
Ссылки
- CVE-2023-51774
- SUSE Bug 1220727