We just released a very important security fix on namshi/jose, our opensource lightweight implementation of the JWS (JSON Web Signature) in PHP.
The issue is related to the fact that any jws token was valid if the algorithm specified in the header was ‘none’ (first ‘n’ lower case). Here you can find the fix
There are three main relases:
- 3.x (It introduces the support to PHPSecLib to the already existing OpenSSL implementation)
- 4.x (Added the ability to set custom properties in the header)
- 5.x (Fixed HMAC signature in order to be checked by other HMAC compliant library)
We strongly suggest to update to the latest major release (2.2.2, 3.0.1, 4.0.1, 5.0.1).
On a side note thanks to everyone who contributed to this library, especially:
- Simon Maxwell-Stewart
- Michael Irwin, twitter
- Florent Morselli, twitter
- Grégoire Paris, twitter
- Brian J. Miller
- Sean Tymon, twitter
- Callum Macrae, twitter
<3 opensource, <3 github