{"id":"MGASA-2023-0350","summary":"Updated cjose packages fix a security vulnerability","details":"The updated packages fix a security vulnerability:\nThe AES GCM decryption routine incorrectly uses the Tag length from the\nactual Authentication Tag provided in the JWE. The spec says that a\nfixed length of 16 octets must be applied. Therefore this bug allows an\nattacker to provide a truncated Authentication Tag and to modify the JWE\naccordingly. (CVE-2023-37464)\n","modified":"2026-04-16T04:44:04.108357132Z","published":"2023-12-18T22:41:39Z","upstream":["CVE-2023-37464"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0350.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=32274"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/"}],"affected":[{"package":{"name":"cjose","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/cjose?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.1-1.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0350.json"}},{"package":{"name":"cjose","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/cjose?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.1-3.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0350.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}