OESA-2023-1441
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1441
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2023-1441.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2023-1441
- Upstream
- Published
- 2023-07-29T11:05:34Z
- Modified
- 2025-08-12T05:21:17.489247Z
- Summary
- cjose security update
- Details
-
Implementation of JOSE for C/C++
Security Fix(es):
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).(CVE-2023-37464)
- Database specific
{ "severity": "High" }- References
Affected packages
openEuler:20.03-LTS-SP1
cjose
Package
- Name
- cjose
- Purl
- pkg:rpm/openEuler/cjose&distro=openEuler-20.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.6.2.2-1.oe1
Ecosystem specific
{
"src": [
"cjose-0.6.2.2-1.oe1.src.rpm"
],
"x86_64": [
"cjose-debugsource-0.6.2.2-1.oe1.x86_64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe1.x86_64.rpm",
"cjose-devel-0.6.2.2-1.oe1.x86_64.rpm",
"cjose-0.6.2.2-1.oe1.x86_64.rpm"
],
"aarch64": [
"cjose-0.6.2.2-1.oe1.aarch64.rpm",
"cjose-devel-0.6.2.2-1.oe1.aarch64.rpm",
"cjose-debugsource-0.6.2.2-1.oe1.aarch64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe1.aarch64.rpm"
]
}openEuler:20.03-LTS-SP3
cjose
Package
- Name
- cjose
- Purl
- pkg:rpm/openEuler/cjose&distro=openEuler-20.03-LTS-SP3
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.6.2.2-1.oe1
Ecosystem specific
{
"src": [
"cjose-0.6.2.2-1.oe1.src.rpm"
],
"x86_64": [
"cjose-debugsource-0.6.2.2-1.oe1.x86_64.rpm",
"cjose-0.6.2.2-1.oe1.x86_64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe1.x86_64.rpm",
"cjose-devel-0.6.2.2-1.oe1.x86_64.rpm"
],
"aarch64": [
"cjose-devel-0.6.2.2-1.oe1.aarch64.rpm",
"cjose-debugsource-0.6.2.2-1.oe1.aarch64.rpm",
"cjose-0.6.2.2-1.oe1.aarch64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe1.aarch64.rpm"
]
}openEuler:22.03-LTS
cjose
Package
- Name
- cjose
- Purl
- pkg:rpm/openEuler/cjose&distro=openEuler-22.03-LTS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.6.2.2-1.oe2203sp2
Ecosystem specific
{
"src": [
"cjose-0.6.2.2-1.oe2203.src.rpm",
"cjose-0.6.2.2-1.oe2203sp1.src.rpm",
"cjose-0.6.2.2-1.oe2203sp2.src.rpm"
],
"x86_64": [
"cjose-devel-0.6.2.2-1.oe2203.x86_64.rpm",
"cjose-debugsource-0.6.2.2-1.oe2203.x86_64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe2203.x86_64.rpm",
"cjose-0.6.2.2-1.oe2203.x86_64.rpm",
"cjose-0.6.2.2-1.oe2203sp1.x86_64.rpm",
"cjose-devel-0.6.2.2-1.oe2203sp1.x86_64.rpm",
"cjose-debugsource-0.6.2.2-1.oe2203sp1.x86_64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe2203sp1.x86_64.rpm",
"cjose-0.6.2.2-1.oe2203sp2.x86_64.rpm",
"cjose-devel-0.6.2.2-1.oe2203sp2.x86_64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe2203sp2.x86_64.rpm",
"cjose-debugsource-0.6.2.2-1.oe2203sp2.x86_64.rpm"
],
"aarch64": [
"cjose-devel-0.6.2.2-1.oe2203.aarch64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe2203.aarch64.rpm",
"cjose-debugsource-0.6.2.2-1.oe2203.aarch64.rpm",
"cjose-0.6.2.2-1.oe2203.aarch64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe2203sp1.aarch64.rpm",
"cjose-0.6.2.2-1.oe2203sp1.aarch64.rpm",
"cjose-devel-0.6.2.2-1.oe2203sp1.aarch64.rpm",
"cjose-debugsource-0.6.2.2-1.oe2203sp1.aarch64.rpm",
"cjose-debugsource-0.6.2.2-1.oe2203sp2.aarch64.rpm",
"cjose-devel-0.6.2.2-1.oe2203sp2.aarch64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe2203sp2.aarch64.rpm",
"cjose-0.6.2.2-1.oe2203sp2.aarch64.rpm"
]
}openEuler:22.03-LTS-SP1
cjose
Package
- Name
- cjose
- Purl
- pkg:rpm/openEuler/cjose&distro=openEuler-22.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.6.2.2-1.oe2203sp1
Ecosystem specific
{
"src": [
"cjose-0.6.2.2-1.oe2203sp1.src.rpm"
],
"x86_64": [
"cjose-0.6.2.2-1.oe2203sp1.x86_64.rpm",
"cjose-devel-0.6.2.2-1.oe2203sp1.x86_64.rpm",
"cjose-debugsource-0.6.2.2-1.oe2203sp1.x86_64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe2203sp1.x86_64.rpm"
],
"aarch64": [
"cjose-debuginfo-0.6.2.2-1.oe2203sp1.aarch64.rpm",
"cjose-0.6.2.2-1.oe2203sp1.aarch64.rpm",
"cjose-devel-0.6.2.2-1.oe2203sp1.aarch64.rpm",
"cjose-debugsource-0.6.2.2-1.oe2203sp1.aarch64.rpm"
]
}openEuler:22.03-LTS-SP2
cjose
Package
- Name
- cjose
- Purl
- pkg:rpm/openEuler/cjose&distro=openEuler-22.03-LTS-SP2
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.6.2.2-1.oe2203sp2
Ecosystem specific
{
"src": [
"cjose-0.6.2.2-1.oe2203sp2.src.rpm"
],
"x86_64": [
"cjose-0.6.2.2-1.oe2203sp2.x86_64.rpm",
"cjose-devel-0.6.2.2-1.oe2203sp2.x86_64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe2203sp2.x86_64.rpm",
"cjose-debugsource-0.6.2.2-1.oe2203sp2.x86_64.rpm"
],
"aarch64": [
"cjose-debugsource-0.6.2.2-1.oe2203sp2.aarch64.rpm",
"cjose-devel-0.6.2.2-1.oe2203sp2.aarch64.rpm",
"cjose-debuginfo-0.6.2.2-1.oe2203sp2.aarch64.rpm",
"cjose-0.6.2.2-1.oe2203sp2.aarch64.rpm"
]
}