Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1371901
Description of problem: A security in python-jwcrypto was found. The jwcrypto implementation of the RSA1_5 algorithm is vulnerable to the Million Message Attack described in RFC 3128. RSA with PKCS1v1.5 is used by Custodia and ipapython.secrets Version-Release number of selected component (if applicable): <= 0.3 Additional info: Upstream bug report: https://github.com/latchset/jwcrypto/pull/66 Upstream fix: https://github.com/latchset/jwcrypto/pull/66
PR https://github.com/tiran/freeipa/tree/issue6278_rsa_oaep changes FreeIPA's Custodia KEM client to use RSA-OAEP rather than PKCS1v15 padding. The patch should be applied to 4.3, 4.4 and master.
master:
ipa-4-4:
ipa-4-3:
Changing ticket summary to match what was really fixed
Metadata Update from @mbasti: - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.3.3
Login to comment on this ticket.