Your message dated Mon, 25 Sep 2017 05:20:00 +0000 with message-id <e1dwlog-000ini...@fasolo.debian.org> and subject line Bug#873244: fixed in pyjwt 1.4.2-1.1 has caused the Debian Bug report #873244, regarding pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 873244: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873244 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: pyjwt Version: 1.4.2-1 Severity: important Tags: security patch upstream Forwarded: https://github.com/jpadilla/pyjwt/pull/277 Control: found -1 0.2.1-1+deb8u1 Hi, the following vulnerability was published for pyjwt. CVE-2017-11424[0]: | In PyJWT 1.5.0 and below the `invalid_strings` check in | `HMACAlgorithm.prepare_key` does not account for all PEM encoded | public keys. Specifically, the PKCS1 PEM encoded format would be | allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC | KEY-----` which is not accounted for. This enables | symmetric/asymmetric key confusion attacks against users using the | PKCS1 PEM encoded public keys, which would allow an attacker to craft | JWTs from scratch. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-11424 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11424 Please adjust the affected versions in the BTS as needed. I think this should be present as well in 0.2.1-1+deb8u1. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: pyjwt Source-Version: 1.4.2-1.1 We believe that the bug you reported is fixed in the latest version of pyjwt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 873...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated pyjwt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 16 Sep 2017 14:49:38 +0200 Source: pyjwt Binary: python-jwt python3-jwt Architecture: source Version: 1.4.2-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: python-jwt - Python implementation of JSON Web Token python3-jwt - Python 3 implementation of JSON Web Token Closes: 873244 Changes: pyjwt (1.4.2-1.1) unstable; urgency=medium . * Non-maintainer upload. * Throw if key is an PKCS1 PEM-encoded public key (CVE-2017-11424) (Closes: #873244) Checksums-Sha1: fcbdd6c39569614d0eca7a4ff5fe2d71509be4dc 2625 pyjwt_1.4.2-1.1.dsc 2a472ac2821d412947f4cc9c7aa0eeccedd332c9 4756 pyjwt_1.4.2-1.1.debian.tar.xz 2b7a5c05339e5140438e4d732f0576a4b656fdbb 6798 pyjwt_1.4.2-1.1_source.buildinfo Checksums-Sha256: d89dea9e19465178fbffb94c5054eacfc242da825769efaae12a7bebd216dd6c 2625 pyjwt_1.4.2-1.1.dsc 1aefc4545440e588652699fc06bf1dada43967b6f28e5fe2aec36f1d10bef793 4756 pyjwt_1.4.2-1.1.debian.tar.xz 5d395d97d2f657d36ef15ccf658179b88a0b0e1bc9cad33ab4dc1c3cecdd0e6d 6798 pyjwt_1.4.2-1.1_source.buildinfo Files: 1c974b0263920eef9937800a7b8afc19 2625 python optional pyjwt_1.4.2-1.1.dsc 0fe46c426d5c8ca71070da0665e76f7a 4756 python optional pyjwt_1.4.2-1.1.debian.tar.xz 4536b23e70083436f0c2641f2377d7a8 6798 python optional pyjwt_1.4.2-1.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm9I2RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ECJwQAIHpwvJjK0CxhgDKdbEbq8AUzbYgaGm8 szUK93vOpRNViGdqzI0U37KghpyQrKG/+XH/vwXekMGcszzaeFSilFrJPSyIXDto nJhJDGLkysSm/X+Ywqp7uV2Xc7Ow26Acj8iRy5r+UrPOT3QsBxGksf6GtHVF+P9i PhjYkyPNm4rNvgtocBYQ8X6cw/EjKJGtWM6O8w/w18bxzH3Y8uhcnEZlDYq5yixf nxuHTTMqz1sWtIBk7UPAOErQ2YcgkpT4qGTyTPOCgo7lnXZf4/JidLP9R8HJWpDi Ka18idd3cBr5oYsuRCT/ZMVzxZngRyA5Ac3VeIKz1g948/ncj6j+xHIV4nXZ1sj4 QlmzrpOLxahLwT3Fou1WjL68hBP82gCPXJgxpLCumqPDNYXRzI3AmgA/8o7e4Wjl 0ImZFc4oKb1CfC8Fq/B4p8B2tQS3mIpleyN+ZDPCbzhutDtHvlF4HLMaKycozb3z uX14cNB3bGnleZ7B17TYRxXRkXzZ3d9UQtlsFml5AGdP+5EzZvVYiX21WeTbpmfm kApmr2RTljw7euH7cCj34MHp9tRGLKkOBlXmrbyExBUQXMGGkHDBlYa0YJC2cDsA AX5WAlRE5+uQTHlfgPNFSx00GdRLcOKuFCLKTSQkXNQADZL7APeEUje0xYGq2Yok NL5hAuNDFPnZ =oz8M -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
