CVE-2016-6298
Bug #1717356 reported by
Brian Morton
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| python-jwcrypto (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Xenial |
New
|
Undecided
|
Brian Morton | ||
Bug Description
The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).
https:/
CVE References
Revision history for this message
| Brian Morton (rokclimb15) wrote | #1 |
| information type: | Private Security → Public Security |
| Changed in python-jwcrypto (Ubuntu): | |
| assignee: | nobody → Brian Morton (rokclimb15) |
| status: | New → In Progress |
| description: | updated |
| description: | updated |
Revision history for this message
| Brian Morton (rokclimb15) wrote | #2 |
Revision history for this message
| Simon Quigley (tsimonq2) wrote | #3 |
| Changed in python-jwcrypto (Ubuntu Xenial): | |
| assignee: | nobody → Brian Morton (rokclimb15) |
| Changed in python-jwcrypto (Ubuntu): | |
| status: | In Progress → Fix Released |
| assignee: | Brian Morton (rokclimb15) → nobody |
To post a comment you must log in.
17.04 and 17.10 are not affected since they publish the fixed version 0.3.2. 16.04 appears to be affected, but the code is significantly different. I've requested info from the source project owner to test my proposed patch for 16.04.