diff --git a/0001-Improve-asymmetric-key-check-in-CryptographyHMACKey.patch b/0001-Improve-asymmetric-key-check-in-CryptographyHMACKey.patch new file mode 100644 index 0000000000000000000000000000000000000000..25ac2fd54c55e5d731be0fe2c1ae988c0a81d9ae --- /dev/null +++ b/0001-Improve-asymmetric-key-check-in-CryptographyHMACKey.patch @@ -0,0 +1,612 @@ +From 34bd82c43ea31da5b9deaa25ff591905a180bdf7 Mon Sep 17 00:00:00 2001 +From: Daniel Garcia Moreno +Date: Fri, 18 Oct 2024 04:10:47 +0800 +Subject: [PATCH] Improve asymmetric key check in CryptographyHMACKey + +This change should fix https://github.com/mpdavis/python-jose/issues/346 +security issue. + +The code is based on pyjwt change: +https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc +--- + jose/backends/cryptography_backend.py | 10 +- + jose/backends/native.py | 11 +-- + jose/jwt.py | 9 ++ + jose/utils.py | 73 ++++++++++++++ + tests/algorithms/test_HMAC.py | 3 + + tests/test_jwt.py | 131 +++++++++++++++++--------- + 6 files changed, 174 insertions(+), 63 deletions(-) + +diff --git a/jose/backends/cryptography_backend.py b/jose/backends/cryptography_backend.py +index abd2426..839df18 100644 +--- a/jose/backends/cryptography_backend.py ++++ b/jose/backends/cryptography_backend.py +@@ -17,6 +17,7 @@ from cryptography.x509 import load_pem_x509_certificate + from ..constants import ALGORITHMS + from ..exceptions import JWEError, JWKError + from ..utils import base64_to_long, base64url_decode, base64url_encode, ensure_binary, long_to_base64 ++from ..utils import is_pem_format, is_ssh_key + from .base import Key + + _binding = None +@@ -552,14 +553,7 @@ class CryptographyHMACKey(Key): + if isinstance(key, str): + key = key.encode("utf-8") + +- invalid_strings = [ +- b"-----BEGIN PUBLIC KEY-----", +- b"-----BEGIN RSA PUBLIC KEY-----", +- b"-----BEGIN CERTIFICATE-----", +- b"ssh-rsa", +- ] +- +- if any(string_value in key for string_value in invalid_strings): ++ if is_pem_format(key) or is_ssh_key(key): + raise JWKError( + "The specified key is an asymmetric key or x509 certificate and" + " should not be used as an HMAC secret." +diff --git a/jose/backends/native.py b/jose/backends/native.py +index eb3a6ae..67839d9 100644 +--- a/jose/backends/native.py ++++ b/jose/backends/native.py +@@ -6,7 +6,7 @@ from jose.backends.base import Key + from jose.constants import ALGORITHMS + from jose.exceptions import JWKError + from jose.utils import base64url_decode, base64url_encode +- ++from jose.utils import is_pem_format, is_ssh_key + + def get_random_bytes(num_bytes): + return bytes(os.urandom(num_bytes)) +@@ -36,14 +36,7 @@ class HMACKey(Key): + if isinstance(key, str): + key = key.encode("utf-8") + +- invalid_strings = [ +- b"-----BEGIN PUBLIC KEY-----", +- b"-----BEGIN RSA PUBLIC KEY-----", +- b"-----BEGIN CERTIFICATE-----", +- b"ssh-rsa", +- ] +- +- if any(string_value in key for string_value in invalid_strings): ++ if is_pem_format(key) or is_ssh_key(key): + raise JWKError( + "The specified key is an asymmetric key or x509 certificate and" + " should not be used as an HMAC secret." +diff --git a/jose/jwt.py b/jose/jwt.py +index 3f2142e..e88851f 100644 +--- a/jose/jwt.py ++++ b/jose/jwt.py +@@ -138,6 +138,15 @@ def decode(token, key, algorithms=None, options=None, audience=None, issuer=None + + verify_signature = defaults.get("verify_signature", True) + ++ # Forbid the usage of the jwt.decode without alogrightms parameter ++ # See https://github.com/mpdavis/python-jose/issues/346 for more ++ # information CVE-2024-33663 ++ if verify_signature and algorithms is None: ++ raise JWTError("It is required that you pass in a value for " ++ 'the "algorithms" argument when calling ' ++ "decode().") ++ ++ + try: + payload = jws.verify(token, key, algorithms, verify=verify_signature) + except JWSError as e: +diff --git a/jose/utils.py b/jose/utils.py +index fcef885..2da220a 100644 +--- a/jose/utils.py ++++ b/jose/utils.py +@@ -1,3 +1,4 @@ ++import re + import base64 + import struct + +@@ -106,3 +107,75 @@ def ensure_binary(s): + if isinstance(s, str): + return s.encode("utf-8", "strict") + raise TypeError(f"not expecting type '{type(s)}'") ++ ++ ++# Based on https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc ++# Based on https://github.com/hynek/pem/blob/7ad94db26b0bc21d10953f5dbad3acfdfacf57aa/src/pem/_core.py#L224-L252 ++_PEMS = { ++ b"CERTIFICATE", ++ b"TRUSTED CERTIFICATE", ++ b"PRIVATE KEY", ++ b"PUBLIC KEY", ++ b"ENCRYPTED PRIVATE KEY", ++ b"OPENSSH PRIVATE KEY", ++ b"DSA PRIVATE KEY", ++ b"RSA PRIVATE KEY", ++ b"RSA PUBLIC KEY", ++ b"EC PRIVATE KEY", ++ b"DH PARAMETERS", ++ b"NEW CERTIFICATE REQUEST", ++ b"CERTIFICATE REQUEST", ++ b"SSH2 PUBLIC KEY", ++ b"SSH2 ENCRYPTED PRIVATE KEY", ++ b"X509 CRL", ++} ++ ++ ++_PEM_RE = re.compile( ++ b"----[- ]BEGIN (" ++ + b"|".join(_PEMS) ++ + b""")[- ]----\r? ++.+?\r? ++----[- ]END \\1[- ]----\r?\n?""", ++ re.DOTALL, ++) ++ ++ ++def is_pem_format(key): ++ """ ++ Return True if the key is PEM format ++ This function uses the list of valid PEM headers defined in ++ _PEMS dict. ++ """ ++ return bool(_PEM_RE.search(key)) ++ ++ ++# Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46 ++_CERT_SUFFIX = b"-cert-v01@openssh.com" ++_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)") ++_SSH_KEY_FORMATS = [ ++ b"ssh-ed25519", ++ b"ssh-rsa", ++ b"ssh-dss", ++ b"ecdsa-sha2-nistp256", ++ b"ecdsa-sha2-nistp384", ++ b"ecdsa-sha2-nistp521", ++] ++ ++ ++def is_ssh_key(key): ++ """ ++ Return True if the key is a SSH key ++ This function uses the list of valid SSH key format defined in ++ _SSH_KEY_FORMATS dict. ++ """ ++ if any(string_value in key for string_value in _SSH_KEY_FORMATS): ++ return True ++ ++ ssh_pubkey_match = _SSH_PUBKEY_RC.match(key) ++ if ssh_pubkey_match: ++ key_type = ssh_pubkey_match.group(1) ++ if _CERT_SUFFIX == key_type[-len(_CERT_SUFFIX) :]: ++ return True ++ ++ return False +diff --git a/tests/algorithms/test_HMAC.py b/tests/algorithms/test_HMAC.py +index 2b0859e..15c1cb7 100644 +--- a/tests/algorithms/test_HMAC.py ++++ b/tests/algorithms/test_HMAC.py +@@ -14,14 +14,17 @@ class TestHMACAlgorithm: + + def test_RSA_key(self): + key = "-----BEGIN PUBLIC KEY-----" ++ key += "\n\n\n-----END PUBLIC KEY-----" + with pytest.raises(JOSEError): + HMACKey(key, ALGORITHMS.HS256) + + key = "-----BEGIN RSA PUBLIC KEY-----" ++ key += "\n\n\n-----END RSA PUBLIC KEY-----" + with pytest.raises(JOSEError): + HMACKey(key, ALGORITHMS.HS256) + + key = "-----BEGIN CERTIFICATE-----" ++ key += "\n\n\n-----END CERTIFICATE-----" + with pytest.raises(JOSEError): + HMACKey(key, ALGORITHMS.HS256) + +diff --git a/tests/test_jwt.py b/tests/test_jwt.py +index 2409f1f..6ccf3f9 100644 +--- a/tests/test_jwt.py ++++ b/tests/test_jwt.py +@@ -5,8 +5,8 @@ from datetime import datetime, timedelta + import pytest + + from jose import jws, jwt +-from jose.exceptions import JWTError +- ++from jose.constants import ALGORITHMS ++from jose.exceptions import JWTError, JWKError + + @pytest.fixture + def claims(): +@@ -56,7 +56,7 @@ class TestJWT: + ], + ) + def test_numeric_key(self, key, token): +- token_info = jwt.decode(token, key) ++ token_info = jwt.decode(token, key, algorithms=ALGORITHMS.SUPPORTED) + assert token_info == {"name": "test"} + + def test_invalid_claims_json(self): +@@ -108,7 +108,7 @@ class TestJWT: + + def test_non_default_headers(self, claims, key, headers): + encoded = jwt.encode(claims, key, headers=headers) +- decoded = jwt.decode(encoded, key) ++ decoded = jwt.decode(encoded, key, algorithms=ALGORITHMS.HS256) + assert claims == decoded + all_headers = jwt.get_unverified_headers(encoded) + for k, v in headers.items(): +@@ -161,8 +161,8 @@ class TestJWT: + + token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" ".eyJhIjoiYiJ9" ".jiMyrsmD8AoHWeQgmxZ5yq8z0lXS67_QGs52AzC8Ru8" + +- decoded = jwt.decode(token, key) +- ++ decoded = jwt.decode(token, key, algorithms=ALGORITHMS.SUPPORTED) ++ + assert decoded == claims + + @pytest.mark.parametrize( +@@ -193,7 +193,7 @@ class TestJWT: + options = {"leeway": leeway} + + token = jwt.encode(claims, key) +- jwt.decode(token, key, options=options) ++ jwt.decode(token, key, options=options, algorithms=ALGORITHMS.HS256) + + def test_iat_not_int(self, key): + +@@ -202,7 +202,7 @@ class TestJWT: + token = jwt.encode(claims, key) + + with pytest.raises(JWTError): +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_nbf_not_int(self, key): + +@@ -211,7 +211,7 @@ class TestJWT: + token = jwt.encode(claims, key) + + with pytest.raises(JWTError): +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_nbf_datetime(self, key): + +@@ -220,7 +220,7 @@ class TestJWT: + claims = {"nbf": nbf} + + token = jwt.encode(claims, key) +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_nbf_with_leeway(self, key): + +@@ -233,7 +233,7 @@ class TestJWT: + options = {"leeway": 10} + + token = jwt.encode(claims, key) +- jwt.decode(token, key, options=options) ++ jwt.decode(token, key, options=options, algorithms=ALGORITHMS.HS256) + + def test_nbf_in_future(self, key): + +@@ -244,7 +244,7 @@ class TestJWT: + token = jwt.encode(claims, key) + + with pytest.raises(JWTError): +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_nbf_skip(self, key): + +@@ -255,11 +255,11 @@ class TestJWT: + token = jwt.encode(claims, key) + + with pytest.raises(JWTError): +- jwt.decode(token, key) +- ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) ++ + options = {"verify_nbf": False} + +- jwt.decode(token, key, options=options) ++ jwt.decode(token, key, options=options, algorithms=ALGORITHMS.HS256) + + def test_exp_not_int(self, key): + +@@ -268,7 +268,7 @@ class TestJWT: + token = jwt.encode(claims, key) + + with pytest.raises(JWTError): +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_exp_datetime(self, key): + +@@ -277,7 +277,7 @@ class TestJWT: + claims = {"exp": exp} + + token = jwt.encode(claims, key) +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_exp_with_leeway(self, key): + +@@ -290,7 +290,7 @@ class TestJWT: + options = {"leeway": 10} + + token = jwt.encode(claims, key) +- jwt.decode(token, key, options=options) ++ jwt.decode(token, key, options=options, algorithms=ALGORITHMS.HS256) + + def test_exp_in_past(self, key): + +@@ -301,7 +301,7 @@ class TestJWT: + token = jwt.encode(claims, key) + + with pytest.raises(JWTError): +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_exp_skip(self, key): + +@@ -312,11 +312,11 @@ class TestJWT: + token = jwt.encode(claims, key) + + with pytest.raises(JWTError): +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + options = {"verify_exp": False} + +- jwt.decode(token, key, options=options) ++ jwt.decode(token, key, options=options, algorithms=ALGORITHMS.HS256) + + def test_aud_string(self, key): + +@@ -325,7 +325,7 @@ class TestJWT: + claims = {"aud": aud} + + token = jwt.encode(claims, key) +- jwt.decode(token, key, audience=aud) ++ jwt.decode(token, key, audience=aud, algorithms=ALGORITHMS.HS256) + + def test_aud_list(self, key): + +@@ -334,7 +334,7 @@ class TestJWT: + claims = {"aud": [aud]} + + token = jwt.encode(claims, key) +- jwt.decode(token, key, audience=aud) ++ jwt.decode(token, key, audience=aud, algorithms=ALGORITHMS.HS256) + + def test_aud_list_multiple(self, key): + +@@ -343,7 +343,7 @@ class TestJWT: + claims = {"aud": [aud, "another"]} + + token = jwt.encode(claims, key) +- jwt.decode(token, key, audience=aud) ++ jwt.decode(token, key, audience=aud, algorithms=ALGORITHMS.HS256) + + def test_aud_list_is_strings(self, key): + +@@ -353,7 +353,7 @@ class TestJWT: + + token = jwt.encode(claims, key) + with pytest.raises(JWTError): +- jwt.decode(token, key, audience=aud) ++ jwt.decode(token, key, audience=aud, algorithms=ALGORITHMS.HS256) + + def test_aud_case_sensitive(self, key): + +@@ -363,14 +363,14 @@ class TestJWT: + + token = jwt.encode(claims, key) + with pytest.raises(JWTError): +- jwt.decode(token, key, audience="AUDIENCE") ++ jwt.decode(token, key, audience="AUDIENCE", algorithms=ALGORITHMS.HS256) + + def test_aud_empty_claim(self, claims, key): + + aud = "audience" + + token = jwt.encode(claims, key) +- jwt.decode(token, key, audience=aud) ++ jwt.decode(token, key, audience=aud, algorithms=ALGORITHMS.HS256) + + def test_aud_not_string_or_list(self, key): + +@@ -380,7 +380,7 @@ class TestJWT: + + token = jwt.encode(claims, key) + with pytest.raises(JWTError): +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_aud_given_number(self, key): + +@@ -390,7 +390,7 @@ class TestJWT: + + token = jwt.encode(claims, key) + with pytest.raises(JWTError): +- jwt.decode(token, key, audience=1) ++ jwt.decode(token, key, audience=1, algorithms=ALGORITHMS.HS256) + + def test_iss_string(self, key): + +@@ -399,7 +399,7 @@ class TestJWT: + claims = {"iss": iss} + + token = jwt.encode(claims, key) +- jwt.decode(token, key, issuer=iss) ++ jwt.decode(token, key, issuer=iss, algorithms=ALGORITHMS.HS256) + + def test_iss_list(self, key): + +@@ -408,7 +408,7 @@ class TestJWT: + claims = {"iss": iss} + + token = jwt.encode(claims, key) +- jwt.decode(token, key, issuer=["https://issuer", "issuer"]) ++ jwt.decode(token, key, issuer=["https://issuer", "issuer"], algorithms=ALGORITHMS.HS256) + + def test_iss_tuple(self, key): + +@@ -417,7 +417,7 @@ class TestJWT: + claims = {"iss": iss} + + token = jwt.encode(claims, key) +- jwt.decode(token, key, issuer=("https://issuer", "issuer")) ++ jwt.decode(token, key, issuer=("https://issuer", "issuer"), algorithms=ALGORITHMS.HS256) + + def test_iss_invalid(self, key): + +@@ -427,7 +427,7 @@ class TestJWT: + + token = jwt.encode(claims, key) + with pytest.raises(JWTError): +- jwt.decode(token, key, issuer="another") ++ jwt.decode(token, key, issuer="another", algorithms=ALGORITHMS.HS256) + + def test_sub_string(self, key): + +@@ -436,7 +436,7 @@ class TestJWT: + claims = {"sub": sub} + + token = jwt.encode(claims, key) +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_sub_invalid(self, key): + +@@ -446,7 +446,7 @@ class TestJWT: + + token = jwt.encode(claims, key) + with pytest.raises(JWTError): +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_sub_correct(self, key): + +@@ -455,7 +455,7 @@ class TestJWT: + claims = {"sub": sub} + + token = jwt.encode(claims, key) +- jwt.decode(token, key, subject=sub) ++ jwt.decode(token, key, subject=sub, algorithms=ALGORITHMS.HS256) + + def test_sub_incorrect(self, key): + +@@ -465,7 +465,7 @@ class TestJWT: + + token = jwt.encode(claims, key) + with pytest.raises(JWTError): +- jwt.decode(token, key, subject="another") ++ jwt.decode(token, key, subject="another", algorithms=ALGORITHMS.HS256) + + def test_jti_string(self, key): + +@@ -474,7 +474,7 @@ class TestJWT: + claims = {"jti": jti} + + token = jwt.encode(claims, key) +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_jti_invalid(self, key): + +@@ -484,33 +484,33 @@ class TestJWT: + + token = jwt.encode(claims, key) + with pytest.raises(JWTError): +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_at_hash(self, claims, key): + access_token = "" + token = jwt.encode(claims, key, access_token=access_token) +- payload = jwt.decode(token, key, access_token=access_token) ++ payload = jwt.decode(token, key, access_token=access_token, algorithms=ALGORITHMS.HS256) + assert "at_hash" in payload + + def test_at_hash_invalid(self, claims, key): + token = jwt.encode(claims, key, access_token="") + with pytest.raises(JWTError): +- jwt.decode(token, key, access_token="") ++ jwt.decode(token, key, access_token="", algorithms=ALGORITHMS.HS256) + + def test_at_hash_missing_access_token(self, claims, key): + token = jwt.encode(claims, key, access_token="") + with pytest.raises(JWTError): +- jwt.decode(token, key) ++ jwt.decode(token, key, algorithms=ALGORITHMS.HS256) + + def test_at_hash_missing_claim(self, claims, key): + token = jwt.encode(claims, key) +- payload = jwt.decode(token, key, access_token="") ++ payload = jwt.decode(token, key, access_token="", algorithms=ALGORITHMS.HS256) + assert "at_hash" not in payload + + def test_at_hash_unable_to_calculate(self, claims, key): + token = jwt.encode(claims, key, access_token="") + with pytest.raises(JWTError): +- jwt.decode(token, key, access_token="\xe2") ++ jwt.decode(token, key, access_token="\xe2", algorithms=ALGORITHMS.HS256) + + def test_bad_claims(self): + bad_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.iOJ5SiNfaNO_pa2J4Umtb3b3zmk5C18-mhTCVNsjnck" +@@ -548,9 +548,48 @@ class TestJWT: + + token = jwt.encode(claims, key) + with pytest.raises(JWTError): +- jwt.decode(token, key, options=options, audience=str(value)) ++ jwt.decode(token, key, options=options, audience=str(value), algorithms=ALGORITHMS.HS256) + + new_claims = dict(claims) + new_claims[claim] = value + token = jwt.encode(new_claims, key) +- jwt.decode(token, key, options=options, audience=str(value)) ++ jwt.decode(token, key, options=options, audience=str(value), algorithms=ALGORITHMS.HS256) ++ ++ def test_CVE_2024_33663(self): ++ """Test based on https://github.com/mpdavis/python-jose/issues/346""" ++ try: ++ from Crypto.PublicKey import ECC ++ from Crypto.Hash import HMAC, SHA256 ++ except ModuleNotFoundError: ++ pytest.skip("pycryptodome module not installed") ++ ++ # ----- SETUP ----- ++ # generate an asymmetric ECC keypair ++ # !! signing should only be possible with the private key !! ++ KEY = ECC.generate(curve='P-256') ++ ++ # PUBLIC KEY, AVAILABLE TO USER ++ # CAN BE RECOVERED THROUGH E.G. PUBKEY RECOVERY WITH TWO SIGNATURES: ++ # https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Public_key_recovery ++ # https://github.com/FlorianPicca/JWT-Key-Recovery ++ PUBKEY = KEY.public_key().export_key(format='OpenSSH').encode() ++ ++ # ---- CLIENT SIDE ----- ++ # without knowing the private key, a valid token can be constructed ++ # YIKES!! ++ ++ b64 = lambda x:base64.urlsafe_b64encode(x).replace(b'=',b'') ++ payload = b64(b'{"alg":"HS256"}') + b'.' + b64(b'{"pwned":true}') ++ hasher = HMAC.new(PUBKEY, digestmod=SHA256) ++ hasher.update(payload) ++ evil_token = payload + b'.' + b64(hasher.digest()) ++ ++ # ---- SERVER SIDE ----- ++ # verify and decode the token using the public key, as is custom ++ # algorithm field is left unspecified ++ # but the library will happily still verify without warning, trusting the user-controlled alg field of the token header ++ with pytest.raises(JWKError): ++ data = jwt.decode(evil_token, PUBKEY, algorithms=ALGORITHMS.HS256) ++ ++ with pytest.raises(JWTError, match='.*required.*"algorithms".*'): ++ data = jwt.decode(evil_token, PUBKEY) +-- +2.43.0 + diff --git a/python-jose.spec b/python-jose.spec index 2de8af34367f817d69c3e8473e1b70fc9d07e948..af0f0c311888ef069603dd525fb9fda7952f5626 100644 --- a/python-jose.spec +++ b/python-jose.spec @@ -1,13 +1,14 @@ %global _empty_manifest_terminate_build 0 Name: python-jose Version: 3.3.0 -Release: 1 +Release: 2 Summary: An implementation of the JOSE draft License: MIT License (MIT) URL: https://github.com/Demonware/jose Source0: https://files.pythonhosted.org/packages/e4/19/b2c86504116dc5f0635d29f802da858404d77d930a25633d2e86a64a35b3/python-jose-3.3.0.tar.gz BuildArch: noarch +Patch0: 0001-Improve-asymmetric-key-check-in-CryptographyHMACKey.patch %description JOSE is a framework intended to provide a method to securely transfer @@ -101,6 +102,12 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Fri Oct 18 2024 wangqiang - 3.3.0-2 +- Type: CVE +- ID: CVE-2024-33663 +- SUG: NA +- DESC: fix CVE-2024-33663 + * Tue Jul 12 2022 wangqiang - 3.3.0-1 - Type: update - ID: NA