[Python-modules-team] Bug#781640: Downgrading bug severity
Moritz Mühlenhoff
jmm at inutil.org
Sun May 31 10:00:17 UTC 2015
On Mon, Apr 13, 2015 at 04:25:24PM +0200, Daniele Tricoli wrote:
> On Saturday 11 April 2015 14:50:19 Luke Faraone wrote:
> > However, the package is vulnerable to the other issue:
> >
> > - If the secretKey was expected to be a RSA public key, but the attacker
> > changed the header to indicate a signature algorithm of HMAC, the RSA
> > public key would be used as the signing secret.
>
> Thanks for the details, I initially thought the bug was only one. For this
> don't we should backport only the following patch?
>
> https://github.com/jpadilla/pyjwt/commit/6a84d73f5a48488d3daf554a69500c3f42bb464d
>
> > I think it is important that this issue is corrected in jessie.
>
> Definitely, I will work on it today or tomorrow.
What's the status?
Cheers,
Moritz
More information about the Python-modules-team
mailing list