[Python-modules-team] Bug#781640: Signature bypass via "alg=none" and HMAC/RSA confusion
Luke Faraone
lfaraone at debian.org
Wed Apr 1 06:39:59 UTC 2015
Package: pyjwt
Version: 0.2.1-1
Severity: grave
Tags: security
See http://www.openwall.com/lists/oss-security/2015/04/01/4
Relevant upstream commit:
https://github.com/jpadilla/pyjwt/commit/88a9fc56.patch
However, I was not able to get this commit to apply cleanly on the version
packaged in Debian.
Not sure if worth backporting the fix or upgrading to the latest upstream
version.
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty'), (100, 'trusty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13.0-48-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Python-modules-team
mailing list