Skip to content

Releases: web-token/jwt-framework

4.1.7

Choose a tag to compare

@Spomky Spomky released this 06 Jun 18:19
a63c552

Release Notes for 4.1.7

Security patch release (4.1.x).

Brings the security fixes up from 4.0.x (#655):

  • PBES2-HS*+A*KW — bounded p2c (PBKDF2 iteration count) to prevent a CPU-amplification denial of service. (GHSA-3prj-6hqw-cm82)
  • ChaCha20-Poly1305 key encryption — Poly1305 authentication tag now emitted and verified. (GHSA-6vvh-pxr4-25r7)
  • RSA1_5 — constant-time implicit rejection (Bleichenbacher mitigation). (GHSA-5739-39v2-5754)
  • JWSalg read only from the integrity-protected header (algorithm-confusion mitigation). (GHSA-jc38-x7x8-2xc8)

4.0.7

Choose a tag to compare

@Spomky Spomky released this 06 Jun 18:08
9d87800

Release Notes for 4.0.7

Security patch release (4.0.x).

Brings the security fixes up from 3.4.x (#652):

  • PBES2-HS*+A*KW — bounded p2c (PBKDF2 iteration count) to prevent a CPU-amplification denial of service. (GHSA-3prj-6hqw-cm82)
  • ChaCha20-Poly1305 key encryption — Poly1305 authentication tag now emitted and verified. (GHSA-6vvh-pxr4-25r7)
  • RSA1_5 — constant-time implicit rejection (Bleichenbacher mitigation). (GHSA-5739-39v2-5754)
  • JWSalg read only from the integrity-protected header (algorithm-confusion mitigation). (GHSA-jc38-x7x8-2xc8)

Also included:

3.4.10

Choose a tag to compare

@Spomky Spomky released this 06 Jun 16:33
1e231cb

Release Notes for 3.4.10

Security patch release.

This release addresses four security issues in the JOSE implementation:

  • PBES2-HS*+A*KW — the p2c (PBKDF2 iteration count) is now bounded (configurable) to prevent a CPU-amplification denial of service. (GHSA-3prj-6hqw-cm82)
  • ChaCha20-Poly1305 key encryption — the Poly1305 authentication tag is now emitted and verified; tampered tokens are rejected. (GHSA-6vvh-pxr4-25r7)
  • RSA1_5 — PKCS#1 v1.5 decryption now uses constant-time implicit rejection, mitigating Bleichenbacher-style padding oracles. (GHSA-5739-39v2-5754)
  • JWS — the alg parameter is read only from the integrity-protected header, preventing algorithm-confusion attacks. (GHSA-jc38-x7x8-2xc8)

Note: 3.4.10 ships the fixes; the accompanying test-suite update is included in 3.4.11.

4.1.6

Choose a tag to compare

@Spomky Spomky released this 14 Apr 07:44
d126963

Release Notes for 4.1.6

4.1.x bugfix release (patch)

  • Fix brick/math version in the library

4.1.6

  • Total issues resolved: 1
  • Total pull requests resolved: 0
  • Total contributors: 0

4.1.5

Choose a tag to compare

@Spomky Spomky released this 14 Apr 07:35
46b7f7e

Release Notes for 4.1.5

4.1.x bugfix release (patch)

4.1.5

  • Total issues resolved: 0
  • Total pull requests resolved: 0
  • Total contributors: 0

4.1.4

Choose a tag to compare

@Spomky Spomky released this 30 Mar 07:43
46b7f7e

Release Notes for 4.1.4

4.1.x bugfix release (patch)

4.1.4

  • Total issues resolved: 0
  • Total pull requests resolved: 1
  • Total contributors: 1

Dependencies

4.1.3

Choose a tag to compare

@Spomky Spomky released this 18 Dec 14:28
5a58101

Release Notes for 4.1.3

4.1.x bugfix release (patch)

4.1.3

4.1.2

Choose a tag to compare

@Spomky Spomky released this 17 Nov 21:17
76b5184

Release Notes for 4.1.2

4.1.x bugfix release (patch)

4.1.2

  • Total issues resolved: 0
  • Total pull requests resolved: 0
  • Total contributors: 0

4.1.1

Choose a tag to compare

@Spomky Spomky released this 17 Nov 20:53
afee4ad

Release Notes for 4.1.1

4.1.x bugfix release (patch)

4.1.1

  • Total issues resolved: 1
  • Total pull requests resolved: 2
  • Total contributors: 2

bug

3.4.9

Choose a tag to compare

@Spomky Spomky released this 17 Nov 20:21
112045d

Release Notes for 3.4.9

3.4.x bugfix release (patch)

3.4.9

  • Total issues resolved: 0
  • Total pull requests resolved: 1
  • Total contributors: 1

enhancement