CVE-2016-6298

Bug #1717356 reported by Brian Morton on 2017-09-14
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-jwcrypto (Ubuntu)
Undecided
Brian Morton

Bug Description

The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).

https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6298.html

CVE References

Brian Morton (rokclimb15) wrote :

17.04 and 17.10 are not affected since they publish the fixed version 0.3.2. 16.04 appears to be affected, but the code is significantly different. I've requested info from the source project owner to test my proposed patch for 16.04.

information type: Private Security → Public Security
Changed in python-jwcrypto (Ubuntu):
assignee: nobody → Brian Morton (rokclimb15)
status: New → In Progress
description: updated
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers