[Python-modules-team] Bug#781640: Downgrading bug severity
Luke Faraone
lfaraone at debian.org
Sat Apr 11 18:50:19 UTC 2015
On 11 April 2015 at 13:37, Daniele Tricoli <eriol at mornie.org> wrote:
> On Thursday 09 April 2015 09:19:03 Thomas Goirand wrote:
> > If the package isn't vulnerable, shouldn't this bug report be closed? If
> > that's the case, then I'll let you close it. In the mean while, I'll
> > downgrade the severity to normal, in order to not remove the package
> > (and its rev-dependencies) from testing.
>
However, the package is vulnerable to the other issue:
- If the secretKey was expected to be a RSA public key, but the attacker
changed the header to indicate a signature algorithm of HMAC, the RSA
public key would be used as the signing secret.
I think it is important that this issue is corrected in jessie.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20150411/6b9e896a/attachment.html>
More information about the Python-modules-team
mailing list