It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. An attacker could use this to cause a denial of service (system crash) or might expose sensitive information.
{ "binaries": [ { "binary_name": "libcjose-dev", "binary_version": "0.6.0+dfsg1-1ubuntu0.1~esm1" }, { "binary_name": "libcjose0", "binary_version": "0.6.0+dfsg1-1ubuntu0.1~esm1" }, { "binary_name": "libcjose0-dbgsym", "binary_version": "0.6.0+dfsg1-1ubuntu0.1~esm1" } ], "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro" }
{ "binaries": [ { "binary_name": "libcjose-dev", "binary_version": "0.6.1+dfsg1-1ubuntu0.1" }, { "binary_name": "libcjose0", "binary_version": "0.6.1+dfsg1-1ubuntu0.1" }, { "binary_name": "libcjose0-dbgsym", "binary_version": "0.6.1+dfsg1-1ubuntu0.1" } ], "availability": "No subscription required" }
{ "binaries": [ { "binary_name": "libcjose-dev", "binary_version": "0.6.1+dfsg1-3ubuntu1.1" }, { "binary_name": "libcjose0", "binary_version": "0.6.1+dfsg1-3ubuntu1.1" }, { "binary_name": "libcjose0-dbgsym", "binary_version": "0.6.1+dfsg1-3ubuntu1.1" } ], "availability": "No subscription required" }