Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1371901
Description of problem:
A security in python-jwcrypto was found. The jwcrypto implementation of the
RSA1_5 algorithm is vulnerable to the Million Message Attack described in RFC
3128. RSA with PKCS1v1.5 is used by Custodia and ipapython.secrets
Version-Release number of selected component (if applicable):
Upstream bug report: https://github.com/latchset/jwcrypto/pull/66
Upstream fix: https://github.com/latchset/jwcrypto/pull/66
PR https://github.com/tiran/freeipa/tree/issue6278_rsa_oaep changes FreeIPA's Custodia KEM client to use RSA-OAEP rather than PKCS1v15 padding. The patch should be applied to 4.3, 4.4 and master.
Changing ticket summary to match what was really fixed
Metadata Update from @mbasti:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.3.3
to comment on this ticket.