[Python-modules-team] Bug#781640: Downgrading bug severity
Moritz Mühlenhoff
jmm at inutil.org
Fri Jun 5 10:17:56 UTC 2015
On Fri, Jun 05, 2015 at 03:58:23AM +0200, Daniele Tricoli wrote:
> Hello,
>
> On Sunday 31 May 2015 12:00:17 Moritz Mühlenhoff wrote:
> > What's the status?
>
> Sorry for the delay! I cherry picked and adapted the patch for pyjwt
> version in Jessie. I worked on this branch:
> https://anonscm.debian.org/viewvc/python-modules/packages/pyjwt/branches/0.2.1/
>
> The package build fine (also twice in a row) in a pbuilder chroot.
>
> Luke, do you know if is there any test case for asymmetric keys
> used as HMAC secrets?
>
> I have some questions (maybe d-mentors is the right place but :
> 1. I have to use 0.2.1-1+deb8u1 as version, right?
Yes, that's correct.
> 2. Since there is not a CVE, I have to mention
> TEMP-0781640-F16931 in the changelog, right?
Those TEMP IDs are not static, please rather mention
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
as a reference.
> 2. Can I ask to my sponsor to upload it on jessie-security?
Yes, please. It needs to be build with "-sa" since pyjwt is new in the
jessie-security suite.
Cheers,
Moritz
More information about the Python-modules-team
mailing list