Debian Rhonabwy vulnerabilities

CVE-2024-25714 [CRITICAL] CVE-2024-25714: rhonabwy - In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function t... In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. (The fix uses gnutls_memcmp, which has constant-time execution.) Scope: local bookworm: open bullseye: open trixie: resolved (fixed in 1.1.13-2)

CVE-2022-38493 [HIGH] CVE-2022-38493: rhonabwy - Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key len... Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE (JSON Web Encryption) token. Scope: local bookworm: resolved (fixed in 1.1.7-1) bullseye: resolved trixie: resolved (fixed in 1.1.7-1)

CVE-2022-32096 [HIGH] CVE-2022-32096: rhonabwy - Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the compo... Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the component r_jwe_aesgcm_key_unwrap. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted JWE token. Scope: local bookworm: resolved (fixed in 1.1.5-1) bullseye: resolved (fixed in 0.9.13-3+deb11u2) trixie: resolved (fixed in 1.1.5-1)