[Python-modules-team] Bug#781640: Downgrading bug severity

Moritz Mühlenhoff jmm at inutil.org
Sun May 31 10:00:17 UTC 2015


On Mon, Apr 13, 2015 at 04:25:24PM +0200, Daniele Tricoli wrote:
> On Saturday 11 April 2015 14:50:19 Luke Faraone wrote:
> > However, the package is vulnerable to the other issue:
> > 
> > - If the secretKey was expected to be a RSA public key, but the attacker
> > changed the header to indicate a signature algorithm of HMAC, the RSA
> > public key would be used as the signing secret.
> 
> Thanks for the details, I initially thought the bug was only one. For this 
> don't we should backport only the following patch?
> 
> https://github.com/jpadilla/pyjwt/commit/6a84d73f5a48488d3daf554a69500c3f42bb464d
> 
> > I think it is important that this issue is corrected in jessie.
> 
> Definitely, I will work on it today or tomorrow.

What's the status?

Cheers,
        Moritz



More information about the Python-modules-team mailing list