chore(deps): [security] bump jose from 1.27.2 to 1.28.1

[dependabot-preview]

Bumps jose from 1.27.2 to 1.28.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Padding Oracle Attack due to Observable Timing Discrepancy in jose jose is an npm library providing a number of cryptographic operations.

Impact

AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).

Patches

All major release versions have had a patch released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are ^1.28.1 || ^2.0.5 || >=3.11.4.

Users should upgrade their v1.x dependency to ^1.28.1, their v2.x dependency to ^2.0.5, and their v3.x dependency to ^3.11.4

Credits

Thanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@​esarafianou) for helping to score this advisory.

Affected versions: >= 1.0.0 < 1.28.1

Release notes

Sourced from jose's releases.

v1.28.1

Bug Fixes

• defer AES CBC w/ HMAC decryption after tag verification passes (08e1bc5), fixes CVE-2021-29443

v1.28.0

Features

• support for validating issuer from a list of values (#91) (ce6836a)

v1.27.3

Bug Fixes

• do not mutate unencoded payload when signing for multiple parties (1695423), closes #89
• ensure "b64" is the same for all recipients edge cases (d56ec9f)

Changelog

Sourced from jose's changelog.

1.28.1 (2021-04-09)

Bug Fixes

• defer AES CBC w/ HMAC decryption after tag verification passes (08e1bc5)

1.28.0 (2020-08-10)

Features

• support for validating issuer from a list of values (#91) (ce6836a)

1.27.3 (2020-08-04)

Bug Fixes

• do not mutate unencoded payload when signing for multiple parties (1695423), closes #89
• ensure "b64" is the same for all recipients edge cases (d56ec9f)

Commits

• 51e0d8b chore(release): 1.28.1
• 08e1bc5 fix: defer AES CBC w/ HMAC decryption after tag verification passes
• 9a8404a chore(release): 1.28.0
• eb482a8 style: lib/jwe/encrypt.js
• e0a2d57 refactor: sign.js PROCESS_RECIPIENT
• ce6836a feat: support for validating issuer from a list of values (#91)
• db6254e ci: improve CI runtime
• 1a4a68f chore(release): 1.27.3
• d56ec9f fix: ensure "b64" is the same for all recipients edge cases
• 1695423 fix: do not mutate unencoded payload when signing for multiple parties
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)