|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-31582: jose4j: jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less. | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | gabriele.sonnu, galaxy-bugs, marina.latini, mc, meissner, stoyan.manolov |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/382874/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-31582:3.1:(AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2023-10-26 09:59:10 UTC
Tracking as affected: - SUSE:SLE-15-SP3:Update:Products:Manager42:Update/jose4j v0.5.1 - SUSE:SLE-15-SP4:Update:Products:Manager43:Update/jose4j v0.5.1 Upstream fix: https://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then (In reply to Gabriele Sonnu from comment #1) > Tracking as affected: > > - SUSE:SLE-15-SP3:Update:Products:Manager42:Update/jose4j v0.5.1 For info, SUMA 4.2 is EOL Working on it Fixes submitted to our devel projects. Our release engs will take care for submitting it to the next stage. SUSE-SU-2024:0485-1: An update that solves two vulnerabilities, contains one feature and has 44 security fixes can now be installed. Category: security (important) Bug References: 1170848, 1210911, 1211254, 1211560, 1211912, 1213079, 1213507, 1213738, 1213981, 1214077, 1214791, 1215166, 1215514, 1215769, 1215810, 1215813, 1215982, 1216114, 1216394, 1216437, 1216550, 1216609, 1216657, 1216753, 1216781, 1216988, 1217069, 1217209, 1217588, 1217784, 1217869, 1218019, 1218074, 1218075, 1218089, 1218094, 1218146, 1218490, 1218615, 1218669, 1218837, 1218849, 1219151, 1219449, 1219577, 1219850 CVE References: CVE-2023-31582, CVE-2023-32189 Jira References: MSQA-719 Sources used: SUSE Manager Proxy 4.3 Module 4.3 (src): mgr-daemon-4.3.8-150400.3.12.5, susemanager-build-keys-15.4.10-150400.3.23.5, spacewalk-client-tools-4.3.18-150400.3.24.7, spacecmd-4.3.26-150400.3.33.5, spacewalk-backend-4.3.27-150400.3.38.2, spacewalk-web-4.3.37-150400.3.39.7, patterns-suse-manager-4.3-150400.5.9.5, spacewalk-certs-tools-4.3.22-150400.3.25.1 SUSE Manager Server 4.3 Module 4.3 (src): supportutils-plugin-susemanager-4.3.10-150400.3.18.5, susemanager-sls-4.3.40-150400.3.44.1, susemanager-build-keys-15.4.10-150400.3.23.5, prometheus-postgres_exporter-0.10.1-150400.3.9.5, subscription-matcher-0.35-150400.3.19.5, spacewalk-web-4.3.37-150400.3.39.7, spacewalk-backend-4.3.27-150400.3.38.2, jose4j-0.5.1-150400.3.6.2, spacewalk-utils-4.3.19-150400.3.21.5, susemanager-sync-data-4.3.16-150400.3.22.2, liberate-formula-0.1.0-150400.10.3.3, cobbler-3.3.3-150400.5.39.5, spacewalk-setup-4.3.19-150400.3.30.5, spacewalk-client-tools-4.3.18-150400.3.24.7, inter-server-sync-0.3.2-150400.3.27.5, susemanager-4.3.34-150400.3.45.5, uyuni-reportdb-schema-4.3.9-150400.3.12.7, spacecmd-4.3.26-150400.3.33.5, prometheus-formula-0.8.0-150400.3.6.5, susemanager-docs_en-4.3-150400.9.53.5, saltboot-formula-0.1.1701196218.b6b8ca1-150400.3.15.3, susemanager-schema-4.3.24-150400.3.36.7, spacewalk-java-4.3.71-150400.3.74.2, patterns-suse-manager-4.3-150400.5.9.5, spacewalk-certs-tools-4.3.22-150400.3.25.1, grafana-formula-0.10.0-150400.3.15.5 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. just released for SUMA. Re-assign to security team for tracking done (fwiw added filter for CVE page to only referenced jose4j) |