[Python-modules-team] Bug#781640: Downgrading bug severity
Moritz Mühlenhoff
jmm at inutil.org
Wed Jun 17 20:49:24 UTC 2015
On Fri, Jun 05, 2015 at 12:17:56PM +0200, Moritz Mühlenhoff wrote:
> On Fri, Jun 05, 2015 at 03:58:23AM +0200, Daniele Tricoli wrote:
> > Hello,
> >
> > On Sunday 31 May 2015 12:00:17 Moritz Mühlenhoff wrote:
> > > What's the status?
> >
> > Sorry for the delay! I cherry picked and adapted the patch for pyjwt
> > version in Jessie. I worked on this branch:
> > https://anonscm.debian.org/viewvc/python-modules/packages/pyjwt/branches/0.2.1/
> >
> > The package build fine (also twice in a row) in a pbuilder chroot.
> >
> > Luke, do you know if is there any test case for asymmetric keys
> > used as HMAC secrets?
> >
> > I have some questions (maybe d-mentors is the right place but :
> > 1. I have to use 0.2.1-1+deb8u1 as version, right?
>
> Yes, that's correct.
>
> > 2. Since there is not a CVE, I have to mention
> > TEMP-0781640-F16931 in the changelog, right?
>
> Those TEMP IDs are not static, please rather mention
> https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
> as a reference.
>
> > 2. Can I ask to my sponsor to upload it on jessie-security?
>
> Yes, please. It needs to be build with "-sa" since pyjwt is new in the
> jessie-security suite.
Any feedback from your sponsor?
Cheers,
Moritz
More information about the Python-modules-team
mailing list