Your message dated Mon, 11 Jul 2022 15:34:17 +0000 with message-id <e1oavqp-000e9g...@fasolo.debian.org> and subject line Bug#1011747: fixed in pyjwt 2.4.0-1 has caused the Debian Bug report #1011747, regarding pyjwt: CVE-2022-29217 - Key confusion through non-blocklisted public key formats to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1011747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011747 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: pyjwt Version: 2.3.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: codeh...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for pyjwt. CVE-2022-29217[0]: | PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple | different JWT signing algorithms. With JWT, an attacker submitting the | JWT token can choose the used signing algorithm. The PyJWT library | requires that the application chooses what algorithms are supported. | The application can specify `jwt.algorithms.get_default_algorithms()` | to get support for all algorithms, or specify a single algorithm. The | issue is not that big as | `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. | Users should upgrade to v2.4.0 to receive a patch for this issue. As a | workaround, always be explicit with the algorithms that are accepted | and expected when decoding. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29217 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.17.0-2-amd64 (SMP w/6 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: pyjwt Source-Version: 2.4.0-1 Done: Daniele Tricoli <er...@debian.org> We believe that the bug you reported is fixed in the latest version of pyjwt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1011...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniele Tricoli <er...@debian.org> (supplier of updated pyjwt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Jul 2022 17:16:24 +0200 Source: pyjwt Architecture: source Version: 2.4.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Daniele Tricoli <er...@debian.org> Closes: 1011747 Changes: pyjwt (2.4.0-1) unstable; urgency=medium . * New upstream version 2.4.0 - Fixes CVE-2022-29217 (Closes: #1011747) * Enable salsa pipelines. * Fix typo on debian/NEWS. * debian/control - Bump Standards-Version to 4.6.1 (no changes needed). * debian/copyright - Update copyright years. Checksums-Sha1: 2e358c3fad0330dd976e1258346800e655d0f893 2196 pyjwt_2.4.0-1.dsc 3880207fdf0db1eeadf976092c8fbf80a7335c24 66327 pyjwt_2.4.0.orig.tar.gz c495d6b280a2f6354ad6c18986b1c7d653953bdf 4388 pyjwt_2.4.0-1.debian.tar.xz ff50e73b305122bbbffa1d15e745d29483ed8bae 7532 pyjwt_2.4.0-1_amd64.buildinfo Checksums-Sha256: ae8563cb8f49a9fb79dd60dd1a4c1015e6e5b9c646accbeabcfad80935dedfcd 2196 pyjwt_2.4.0-1.dsc d42908208c699b3b973cbeb01a969ba6a96c821eefb1c5bfe4c390c01d67abba 66327 pyjwt_2.4.0.orig.tar.gz 6b8427713fb94c84785c0dcb3399a09441049f46f045d559ad354ba9a30eb43a 4388 pyjwt_2.4.0-1.debian.tar.xz b70b5a7955b32c82a31dad8cae9c5946ae013750dc1cce7284b5c8beb0e39991 7532 pyjwt_2.4.0-1_amd64.buildinfo Files: df5c58f58609cc7dfb1706994218a33d 2196 python optional pyjwt_2.4.0-1.dsc 665f444d7805e36826bb09ce6434e73a 66327 python optional pyjwt_2.4.0.orig.tar.gz 34d5cadfbaf1f7a1ef1b788f468fa24c 4388 python optional pyjwt_2.4.0-1.debian.tar.xz 6e223aea94745d20f9e22a1523a06597 7532 python optional pyjwt_2.4.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEExlrvn+W/jMvW7bAZi69SLA1szt0FAmLMQBERHGVyaW9sQGRl Ymlhbi5vcmcACgkQi69SLA1szt1Yug/6A+ykAG8IoDdgmiCdec4IXFdzgQo3cTnY uOuG0P5rKii4H0LzN6lz28p23HeDMu6qb4Z3x+iIuUKtLeosLoE1Txw/7T1axEvV 75CO6lYQL4AJUBSDdSNVDBVmSC2hHhRMMW4m6yM15VJuCrEX2ob0fx7PbyTbTqtj dYPU6mxPCtcpfy0Z1soT+Ql1g4NW3ccmNb0rsv/mBmyWOBSIuloMs/HvjsNOWoaA onHCqX2lRbVo4Zz/YkLyYKe5BsZZcZ4LSP7SsDVzbdTCJSWxlMpamFmeDLu+pFgd Fxm0KClHVGUVPFdAYIiQbjaMyHm4l2H+IFV1gIiXskkhfAtnuQNEHiWFeLTexn9A KqFNTIdgoR1LWNEmjQC8pCZm5XP1t3GZVwANiSyT16TSgo8AF0IFq5T1MwtoDcVr AdgVhlLhmfjYCo4PNcE29TcKw6QvQM2QBYPBLO6A+y2eTuYHNyC0GXj6KB0jMeBW wLRsofvSpcHAhF3UZpjVb0j1PvJQDyf99607a2DWAb2D8aerQm7ZOJbbgXJ3FVpb xvevrCCVYpFDb2e/WVPRvGv2z5BmrWLxLlhQNi6pF3ft7WNR6pV5xfXW7srQXplk a1BnkayMw3RWROyeGef5P/+mIhViz5155IglAyzorwgUZZ07Bt5ZDsMlmuios2AG RdQovi/bHdI= =UlKh -----END PGP SIGNATURE-----
--- End Message ---
