[Python-modules-team] Bug#781640: Downgrading bug severity
Daniele Tricoli
eriol at mornie.org
Mon Apr 13 14:25:24 UTC 2015
On Saturday 11 April 2015 14:50:19 Luke Faraone wrote:
> However, the package is vulnerable to the other issue:
>
> - If the secretKey was expected to be a RSA public key, but the attacker
> changed the header to indicate a signature algorithm of HMAC, the RSA
> public key would be used as the signing secret.
Thanks for the details, I initially thought the bug was only one. For this
don't we should backport only the following patch?
https://github.com/jpadilla/pyjwt/commit/6a84d73f5a48488d3daf554a69500c3f42bb464d
> I think it is important that this issue is corrected in jessie.
Definitely, I will work on it today or tomorrow.
Kind regards,
--
Daniele Tricoli 'Eriol'
http://mornie.org
More information about the Python-modules-team
mailing list