Hello, sorry for the delay and thanks Thomas: I had forgotten to subscribe to pyjwt : (
On Thursday 09 April 2015 09:19:03 Thomas Goirand wrote: > If the package isn't vulnerable, shouldn't this bug report be closed? If > that's the case, then I'll let you close it. In the mean while, I'll > downgrade the severity to normal, in order to not remove the package > (and its rev-dependencies) from testing. My plan is to package pyjwt 1.0.1 soon: it's not vulnerable since the fix mentioned by Luke was applied to 1.0.0. I'm leaving this open for now, but I agree with Thomas: 0.2.1 is not vulnerable to alg=”none” bug, so we can close this bug. Kind regards, -- Daniele Tricoli 'Eriol' http://mornie.org _______________________________________________ Python-modules-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
