[Python-modules-team] Bug#873244: pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys
Control: notfound -1 0.2.1-1+deb8u1 Hi On Fri, Aug 25, 2017 at 08:59:33PM +0200, Salvatore Bonaccorso wrote: > Please adjust the affected versions in the BTS as needed. I think this > should be present as well in 0.2.1-1+deb8u1. Whilst the test is missing as well in 0.2.1-1+deb8u1, pyjwt in Jessie would probably not work as expected in this regard. I'm removing the found version for 0.2.1-1+deb8u1 for now. Regards, Salvatore ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Processed: Re: Bug#873244: pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys
Processing control commands: > notfound -1 0.2.1-1+deb8u1 Bug #873244 [src:pyjwt] pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys No longer marked as found in versions pyjwt/0.2.1-1+deb8u1. -- 873244: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873244 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#873815: pyjwt: PyJWT vulneratibility for some keys
Package: pyjwt
Version: 1.4.2-1
Severity: important
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu artful ubuntu-patch
Dear Maintainer,
Upstream already fixed that issue, here is the debdiff that was applied in
order to fix this.
* SECURITY UPDATE: symmetric/asymmetric key confusion attacks
- debian/patches/CVE-2017-11424.patch: Throw if key is an PKCS1
PEM-encoded public key in jwt/algorithms.py, jwt/api_jws.py,
jwt/api_jwt.py, tests/keys/testkey_pkcs1.pub.pem,
tests/test_algorithms.py, tests/test_api_jws.py, tests/test_api_jwt.py.
- CVE-2017-11424
Thanks for considering the patch.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500,
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.10.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru pyjwt-1.4.2/debian/files pyjwt-1.4.2/debian/files
--- pyjwt-1.4.2/debian/files 1969-12-31 21:00:00.0 -0300
+++ pyjwt-1.4.2/debian/files 2017-08-30 11:51:30.0 -0300
@@ -0,0 +1 @@
+pyjwt_1.4.2-1ubuntu1_source.buildinfo python optional
diff -Nru pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch
--- pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch 1969-12-31 21:00:00.0 -0300
+++ pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch 2017-08-29 11:40:17.0 -0300
@@ -0,0 +1,139 @@
+From 1922f0972b065077404c0dafa0946f2132400a2b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Padilla?=
+Date: Wed, 21 Jun 2017 15:49:41 -0400
+Subject: [PATCH 1/3] Throw if key is an PKCS1 PEM-encoded public key
+
+---
+ jwt/algorithms.py| 1 +
+ jwt/api_jws.py | 9 +
+ jwt/api_jwt.py | 9 +
+ tests/keys/testkey_pkcs1.pub.pem | 5 +
+ tests/test_algorithms.py | 7 +++
+ tests/test_api_jws.py| 10 ++
+ tests/test_api_jwt.py| 10 ++
+ 7 files changed, 51 insertions(+)
+ create mode 100644 tests/keys/testkey_pkcs1.pub.pem
+
+diff --git a/jwt/algorithms.py b/jwt/algorithms.py
+index 51e8f16..fd9c3ac 100644
+--- a/jwt/algorithms.py
b/jwt/algorithms.py
+@@ -121,6 +121,7 @@ class HMACAlgorithm(Algorithm):
+ invalid_strings = [
+ b'-BEGIN PUBLIC KEY-',
+ b'-BEGIN CERTIFICATE-',
++b'-BEGIN RSA PUBLIC KEY-',
+ b'ssh-rsa'
+ ]
+
+diff --git a/jwt/api_jws.py b/jwt/api_jws.py
+index 177f5ff..a91137c 100644
+--- a/jwt/api_jws.py
b/jwt/api_jws.py
+@@ -107,6 +107,15 @@ class PyJWS(object):
+
+ def decode(self, jws, key='', verify=True, algorithms=None, options=None,
+**kwargs):
++
++if not algorithms:
++warnings.warn(
++'It is strongly recommended that you pass in a ' +
++'value for the "algorithms" argument when calling decode(). ' +
++'This argument will be mandatory in a future version.',
++DeprecationWarning
++)
++
+ payload, signing_input, header, signature = self._load(jws)
+
+ if verify:
+diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
+index 9703b8d..e0e6c25 100644
+--- a/jwt/api_jwt.py
b/jwt/api_jwt.py
+@@ -58,6 +58,15 @@ class PyJWT(PyJWS):
+
+ def decode(self, jwt, key='', verify=True, algorithms=None, options=None,
+**kwargs):
++
++if not algorithms:
++warnings.warn(
++'It is strongly recommended that you pass in a ' +
++'value for the "algorithms" argument when calling decode(). ' +
++'This argument will be mandatory in a future version.',
++DeprecationWarning
++)
++
+ payload, signing_input, header, signature = self._load(jwt)
+
+ decoded = super(PyJWT, self).decode(jwt, key, verify, algorithms,
+diff --git a/tests/keys/testkey_pkcs1.pub.pem b/tests/keys/testkey_pkcs1.pub.pem
+new file mode 100644
+index 000..f690179
+--- /dev/null
b/tests/keys/testkey_pkcs1.pub.pem
+@@ -0,0 +1,5 @@
++-BEGIN RSA PUBLIC KEY-
++MIGHAoGBAOV/0Vl/5VdHcYpnILYzBGWo5JQVzo9wBkbxzjAStcAnTwvv1ZJTMXs6
++fjz91f9hiMM4Z/5qNTE/EHlDWxVdj1pyRaQulZPUs0r9qJ02ogRRGLG3jjrzzbzF
++yj/pdNBwym0UJYC/Jmn/kMLwGiWI2nfa9vM5SovqZiAy2FD7eOtVAgED
++-END RSA PUBLIC KEY-
+diff --git a/tests/test_algorithms.py b/tests/test_algorithms.py
+index e3cf1d0..fea654c 100644
+--- a/tests/test_algorithms.py
b/tests/test_algorithms.py
+@@ -84,6 +84,13 @@ class TestAlgorithms:
+ with open(key_path('testkey2_rsa.pub.pem'), 'r') as keyfile:
+ algo.prepare_key(keyfile.read())
+
++def test_hmac_should_throw_e
[Python-modules-team] Processing of wifi-python_0.8.0~rc1-1_amd64.changes
wifi-python_0.8.0~rc1-1_amd64.changes uploaded successfully to localhost along with the files: wifi-python_0.8.0~rc1-1.dsc wifi-python_0.8.0~rc1.orig.tar.gz wifi-python_0.8.0~rc1-1.debian.tar.xz python-wifi_0.8.0~rc1-1_all.deb python3-wifi_0.8.0~rc1-1_all.deb pywifi_0.8.0~rc1-1_all.deb wifi-python_0.8.0~rc1-1_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] wifi-python_0.8.0~rc1-1_amd64.changes is NEW
binary:python-wifi is NEW. binary:python3-wifi is NEW. binary:pywifi is NEW. binary:python3-wifi is NEW. binary:python-wifi is NEW. binary:pywifi is NEW. source:wifi-python is NEW. Your package has been put into the NEW queue, which requires manual action from the ftpteam to process. The upload was otherwise valid (it had a good OpenPGP signature and file hashes are valid), so please be patient. Packages are routinely processed through to the archive, and do feel free to browse the NEW queue[1]. If there is an issue with the upload, you will receive an email from a member of the ftpteam. If you have any questions, you may reply to this email. [1]: https://ftp-master.debian.org/new.html or https://ftp-master.debian.org/backports-new.html for *-backports ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] www.packages.debian.org
Hello, I hope you are well. My name is Carol Marshall and I work for a Search Marketing company in Sydney, Australia. I was doing some research on your industry and I landed on your website. Thing is i had a look at some of the other businesses who are currently ranked on Page 1 and I truly believe you have a better website and a better brand. Long story short, I have created an 18-Page WebsiteAudit which addresses all of the technical and web errors on your website that is stopping you from ranking on PAGE 1… I am happy to send you this report forFREE. All I want is the opportunity to call you and discuss THE WEBSITE AUDIT in greater detail. What do you think? Kind Regards, *Carol *| MANAGER *AU IT SOLUTIONS*Headquarters: 41 Bridge Rd Glebe, NSW 2037, Australia Other Offices: Hong Kong & China | USA | New Zealand | UAE | Singapore ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] [bts-link] source package src:pytest-catchlog
# # bts-link upstream status pull for source package src:pytest-catchlog # see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html # user bts-link-upstr...@lists.alioth.debian.org # remote status report for #871998 (http://bugs.debian.org/871998) # Bug title: pytest-catchlog FTBFS: test_pytest_catchlog.py::test_nothing_logged FAILED # * https://github.com/eisensheng/pytest-catchlog/issues/68 # * remote status changed: (?) -> open usertags 871998 + status-open thanks ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] [bts-link] source package src:pyjwt
# # bts-link upstream status pull for source package src:pyjwt # see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html # user bts-link-upstr...@lists.alioth.debian.org # remote status report for #873244 (http://bugs.debian.org/873244) # Bug title: pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys # * https://github.com/jpadilla/pyjwt/pull/277 # * remote status changed: (?) -> closed # * closed upstream tags 873244 + fixed-upstream usertags 873244 + status-closed thanks ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Processed: [bts-link] source package src:pyjwt
Processing commands for cont...@bugs.debian.org: > # > # bts-link upstream status pull for source package src:pyjwt > # see http://lists.debian.org/debian-devel-announce/2006/05/msg1.html > # > user bts-link-upstr...@lists.alioth.debian.org Setting user to bts-link-upstr...@lists.alioth.debian.org (was bts-link-de...@lists.alioth.debian.org). > # remote status report for #873244 (http://bugs.debian.org/873244) > # Bug title: pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public > keys > # * https://github.com/jpadilla/pyjwt/pull/277 > # * remote status changed: (?) -> closed > # * closed upstream > tags 873244 + fixed-upstream Bug #873244 [src:pyjwt] pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys Added tag(s) fixed-upstream. > usertags 873244 + status-closed There were no usertags set. Usertags are now: status-closed. > thanks Stopping processing here. Please contact me if you need assistance. -- 873244: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873244 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Processing of django-reversion_2.0.10-1_amd64.changes
django-reversion_2.0.10-1_amd64.changes uploaded successfully to localhost along with the files: django-reversion_2.0.10-1.dsc django-reversion_2.0.10.orig.tar.gz django-reversion_2.0.10-1.debian.tar.xz django-reversion_2.0.10-1_amd64.buildinfo python-django-reversion-doc_2.0.10-1_all.deb python-django-reversion_2.0.10-1_all.deb python3-django-reversion_2.0.10-1_all.deb Greetings, Your Debian queue daemon (running on host usper.debian.org) ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] django-reversion_2.0.10-1_amd64.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 31 Aug 2017 21:21:22 +0200 Source: django-reversion Binary: python-django-reversion python3-django-reversion python-django-reversion-doc Architecture: source all Version: 2.0.10-1 Distribution: unstable Urgency: low Maintainer: Debian Python Modules Team Changed-By: Michael Fladischer Description: python-django-reversion - Provides comprehensive version control facilities for Django python-django-reversion-doc - Provides comprehensive version control facilities for Django (Doc python3-django-reversion - Provides comprehensive version control facilities for Django (Pyt Changes: django-reversion (2.0.10-1) unstable; urgency=low . * New upstream release. * Refresh patches after git-dpm to gbp pq conversion * Bump Standards-Version to 4.1.0. Checksums-Sha1: e68867203d297e14fb1bd34006d5bc50341ab1e8 2077 django-reversion_2.0.10-1.dsc 2a46283d77d4cc2c342db6e5ec267761d72ec41a 63757 django-reversion_2.0.10.orig.tar.gz f67451f61eec487e92e855b521769eaeacb6c8e6 7712 django-reversion_2.0.10-1.debian.tar.xz 76a25c4ead0e349216cc02325c78dabae4582107 8423 django-reversion_2.0.10-1_amd64.buildinfo 004dc2acfaffc79ec3d0732b3821d65dff2405d0 48744 python-django-reversion-doc_2.0.10-1_all.deb 3cb9ba54415114536b67d1159c9d08cdf964cc38 40536 python-django-reversion_2.0.10-1_all.deb 8dc92bb756faddd8a6ee00c8da9b82498bb035c0 40004 python3-django-reversion_2.0.10-1_all.deb Checksums-Sha256: b686e37bc3e55418473bf51a0771fed8246c6807050d7a2f17088599570b169e 2077 django-reversion_2.0.10-1.dsc b28b4be5a5be28cb16180ebef6190b56490367cf9ae3746131b70179622035cd 63757 django-reversion_2.0.10.orig.tar.gz 06fe7cbc022bf67a20fe6cd24b5c4daab67f5fdb785cbe1ab411f01fa267ccf3 7712 django-reversion_2.0.10-1.debian.tar.xz 90b4ae2e8cfeacae3f07cb038cd76e09649007e288fe1ce7d0a0c84ebcdc0714 8423 django-reversion_2.0.10-1_amd64.buildinfo 4bece786f15e347d452e4139abf6606000a17d26e5628e356d69502ceb79022d 48744 python-django-reversion-doc_2.0.10-1_all.deb 4dd325ac5ba13d8dcf8a65825600d1923b7476387d556676d460fc85d4942b47 40536 python-django-reversion_2.0.10-1_all.deb ba65f28b137d7ef67cc78854f9e93e77b87e0f4fbf8916141743c7c05bd5c6e0 40004 python3-django-reversion_2.0.10-1_all.deb Files: 935f3d8148f78d2bc1abc724f47e95ef 2077 python optional django-reversion_2.0.10-1.dsc e57006ff1c61a1a7e7719430fbdacd47 63757 python optional django-reversion_2.0.10.orig.tar.gz 8bd15a81dbd999aa23d271d07f50e9a3 7712 python optional django-reversion_2.0.10-1.debian.tar.xz 4107373fa396cb7b63eb76c9f0e75954 8423 python optional django-reversion_2.0.10-1_amd64.buildinfo 8413b058df7259713d5dfd3002cd58ba 48744 doc optional python-django-reversion-doc_2.0.10-1_all.deb c53cf20c43fa2123f766fe7a13b185d0 40536 python optional python-django-reversion_2.0.10-1_all.deb 72990ec318479ce334b118f91646d5f6 40004 python optional python3-django-reversion_2.0.10-1_all.deb -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEqVSlRXW87UkkCnJc/9PIi5l90WoFAlmoY98ACgkQ/9PIi5l9 0WoNVAf/XAKMhC4nq7EFNTaznSnqS5BrTlv3UCYN8iU2kHmBl14UOOLNBbW2Yyfy 00Vq9xAY27P2AxyFxBxLgnp3wha53Vf3SVHaGlWHPhAw6p5zJ81EzuCQrP91cbaP t6rZDUNTkLRQb4HD8TNuNDNREwswmQt6SMQby8/G/t6LjTyhdx/EMumiFthlB4+T zLrYKHxoWys17q09Y7lJvHCjnzNR7cy0fDnP7oPtoHqJyvMGxzhl4+PtGlaB9Tfk DTvQuQw6pZs3NnBqmO/xAmKrjTjnDhUiXAG8wdJAX4oWarQnzTfRn/U81ef4VXTn ET42ZuMaE6QwJI9KVH/WO6LmZuV4Yw== =lyKL -END PGP SIGNATURE- Thank you for your contribution to Debian. ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] cov-core 1.15.0-2 MIGRATED to testing
FYI: The status of the cov-core source package in Debian's testing distribution has changed. Previous version: 1.15.0-1 Current version: 1.15.0-2 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#873910: django-reversion FTBFS: ERROR: testFieldDictFieldExclude (test_app.tests.test_models.FieldDictExcludeTest)
Source: django-reversion
Version: 2.0.10-1
Severity: serious
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/django-reversion.html
...
debian/rules override_dh_auto_test
make[1]: Entering directory '/build/1st/django-reversion-2.0.10'
PYBUILD_SYSTEM=custom PYBUILD_TEST_ARGS="python{version} tests/manage.py test
tests" dh_auto_test
I: pybuild base:184: python2.7 tests/manage.py test tests
System check identified some issues:
WARNINGS:
?: (1_10.W001) The MIDDLEWARE_CLASSES setting is deprecated in Django 1.10 and
the MIDDLEWARE setting takes precedence. Since you've set MIDDLEWARE, the value
of MIDDLEWARE_CLASSES is ignored.
System check identified 1 issue (0 silenced).
E.sss...ss.ss...sss..sss.s..s.s
==
ERROR: testFieldDictFieldExclude
(test_app.tests.test_models.FieldDictExcludeTest)
--
Traceback (most recent call last):
File
"/build/1st/django-reversion-2.0.10/tests/test_app/tests/test_models.py", line
267, in testFieldDictFieldExclude
reversion.register(TestModel, exclude=("name",))
File
"/build/1st/django-reversion-2.0.10/.pybuild/pythonX.Y_2.7/build/reversion/revisions.py",
line 404, in register
return register(model)
File
"/build/1st/django-reversion-2.0.10/.pybuild/pythonX.Y_2.7/build/reversion/revisions.py",
line 373, in register
model=model,
RegistrationError: has already been
registered with django-reversion
--
Ran 131 tests in 11.009s
FAILED (errors=1, skipped=20)
Creating test database for alias 'default'...
Destroying test database for alias 'default'...
E: pybuild pybuild:283: test: plugin custom failed with: exit code=1: python2.7
tests/manage.py test tests
dh_auto_test: pybuild --test -i python{version} -p 2.7 returned exit code 13
debian/rules:12: recipe for target 'override_dh_auto_test' failed
make[1]: *** [override_dh_auto_test] Error 25
___
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
