MGASA-2024-0238 - Updated python-authlib packages fix security vulnerability

Publication date: 25 Jun 2024
URL: https://advisories.mageia.org/MGASA-2024-0238.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2024-37568

Authlib before 1.3.1 has algorithm confusion with asymmetric public
keys. Unless an algorithm is specified in a jwt.decode call, HMAC
verification is allowed with any asymmetric public key. (This is similar
to CVE-2022-29217 and CVE-2024-33663.)

References:
- https://bugs.mageia.org/show_bug.cgi?id=33315
- https://lists.suse.com/pipermail/sle-updates/2024-June/035616.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37568

SRPMS:
- 9/core/python-authlib-1.3.1-1.mga9

Mageia 2024-0238: python-authlib Security Advisory Updates

Authlib before 1.3.1 has algorithm confusion with asymmetric public keys

Summary

Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

References

- https://bugs.mageia.org/show_bug.cgi?id=33315

- https://lists.suse.com/pipermail/sle-updates/2024-June/035616.html

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37568

Resolution

MGASA-2024-0238 - Updated python-authlib packages fix security vulnerability

SRPMS

- 9/core/python-authlib-1.3.1-1.mga9

Severity
Publication date: 25 Jun 2024
URL: https://advisories.mageia.org/MGASA-2024-0238.html
Type: security
CVE: CVE-2024-37568

Related News

8.Locks HexConnections CodeGlobe Esm H170
2 - 4 min read
Canonical has made headlines with its groundbreaking long-term support (LTS) service offering to extend far beyond Ubuntu deb packages, promising 12
14.Lock Code WorldMap Esm H170
2 - 4 min read
Government agencies are drawing attention to an issue plaguing open-source communities: memory-unsafe languages. A study entitled " Exploring Memory
11.Locks IsometricPattern Esm H170
2 - 3 min read
Cybersecurity threats continue to emerge regularly, and Promon's security team recently identified one such novel threat, Snowblind. This malware
32.Lock Code Circular Esm H170
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its
6.EmailConnection Touch Esm H170
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
20.Lock AbstractDigital Circular Esm H170
2 - 3 min read
Google has released fixes for a high-severity Chromium security flaw ( CVE-2024-5274 ) impacting its widely used Chrome browser and other
20.Lock AbstractDigital Circular Esm H170
2 - 4 min read
The recent discovery of a backdoor in Linux's xz compression tool has shed light on cybercriminals' ingenious methods of gaining entry and remaining
19.Laptop Bed Esm H170
2 - 4 min read
Wordfence security researchers recently shed light on an infamous supply chain attack that may have affected as many as 36,000 WordPress websites.

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved