Your message dated Tue, 23 Jun 2015 19:32:07 +0000
with message-id <[email protected]>
and subject line Bug#781640: fixed in pyjwt 0.2.1-1+deb8u1
has caused the Debian Bug report #781640,
regarding Asymmetric keys and x509 certificates should not be used as HMAC keys
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
781640: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781640
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pyjwt
Version: 0.2.1-1
Severity: grave
Tags: security
See http://www.openwall.com/lists/oss-security/2015/04/01/4
Relevant upstream commit:
https://github.com/jpadilla/pyjwt/commit/88a9fc56.patch
However, I was not able to get this commit to apply cleanly on the version
packaged in Debian.
Not sure if worth backporting the fix or upgrading to the latest upstream
version.
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500,
'trusty'), (100, 'trusty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13.0-48-generic (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: pyjwt
Source-Version: 0.2.1-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
pyjwt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniele Tricoli <[email protected]> (supplier of updated pyjwt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Jun 2015 03:25:03 +0200
Source: pyjwt
Binary: python-jwt python3-jwt
Architecture: source all
Version: 0.2.1-1+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Python Modules Team
<[email protected]>
Changed-By: Daniele Tricoli <[email protected]>
Description:
python-jwt - Python implementation of JSON Web Token
python3-jwt - Python 3 implementation of JSON Web Token
Closes: 781640
Changes:
pyjwt (0.2.1-1+deb8u1) jessie-security; urgency=medium
.
* debian/patches/01_not-use-asymmetric-keys-as-HMAC.patch
- Add a check so that asymmetric keys cannot be used as HMAC
secrets. See for more details:
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
(Closes: #781640)
Checksums-Sha1:
f8e907071a5d8c28690591f9676cb725b086fcb3 2091 pyjwt_0.2.1-1+deb8u1.dsc
e1f49566cfe6fbfa4d6a467ca53b5f83f7f62ef3 6320 pyjwt_0.2.1.orig.tar.gz
496b01b6b2da4b34a4b09f3e1858db5ffedadb0b 3440
pyjwt_0.2.1-1+deb8u1.debian.tar.xz
250725cc16eb4047543f70e8debc56ebde463c72 10772
python-jwt_0.2.1-1+deb8u1_all.deb
65d13d815efa0b20db0037fbaa5cf76561cde445 8980
python3-jwt_0.2.1-1+deb8u1_all.deb
Checksums-Sha256:
c092cbd30d138f90c3257c870ff4f1cd246008d1ba1895fb76b2a4a5ca756194 2091
pyjwt_0.2.1-1+deb8u1.dsc
cfd0fad01a9a57fb4b24e59a82ffd50ddc9c2c4344694ec6ef436ae11d5d18aa 6320
pyjwt_0.2.1.orig.tar.gz
f1e34259f0bc21c69020f6edd86f9c02faed3556d29de78f1bd4894c873d16ca 3440
pyjwt_0.2.1-1+deb8u1.debian.tar.xz
5bbdaee6966620171c4102d404d4f92387cb6672073ff4e9215ef2bca5da22bd 10772
python-jwt_0.2.1-1+deb8u1_all.deb
6900ddc7a0f918a49dd4c344c363c71c7a3f50dc18260ff5fc31fa82b003be7f 8980
python3-jwt_0.2.1-1+deb8u1_all.deb
Files:
c2b81a45c8f0a1299587011444826eb0 2091 python optional pyjwt_0.2.1-1+deb8u1.dsc
500fdbdd4c7b60404063f7d9c2717108 6320 python optional pyjwt_0.2.1.orig.tar.gz
c4f8658ed920abb44a14aeac82c2fa64 3440 python optional
pyjwt_0.2.1-1+deb8u1.debian.tar.xz
cec8e0e1b2b7c1387608987748aa9ce3 10772 python optional
python-jwt_0.2.1-1+deb8u1_all.deb
be7f6cdd78010df24aaa9c3b4fa082a0 8980 python optional
python3-jwt_0.2.1-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVgxOsAAoJEK728aKnRXZFcc0QALSjxxxJLGqWqPnHRNjUyQVc
KKlhyhx2IdlTqsqBLYLB6w/hA4LajdO4KeTlD1Qz53u/KO7VsjUwM10wloi7FLOr
xYAkm6Jl52rO+3OOXRcszyI2KxMXKtUgw50A2ZHe2ijHzpaLFkIcJJd2/jWJZAhM
UECJuo9mpu9V8siWx6MAVWBujWG3GgU7Nfege8W5DbrPqPy3DuUUjDUwCqvDTQiZ
70OsJ4xCDtJQKjdckBy8EreaktDQ1xbcfPv+YZWN+F5s6x0ew27Djc3sh2J7E7fW
Zu9bkuK6XNobckD0a8+Tw5dc6LtKuZhIWR5E5D+TnqTs5BU1CyxwIKsHQ56WAxyF
vD5jKZMEDcl5MVFPEOyTXO/kgc5z3yKQtThwo35itBeRBSoZyW+fUyVeJl6ZymZr
ptMIDoueLRteb5eQijYbwGLu0R/VtI1cHo8FRklXqpR3zgnwN+3FpJijHBGhK377
NrFTmbSzIaHsPyH/eL+m2SP6DSRoP0vgM2uK03xrAjtquNa1pNE90t18b/CX3tNg
Du3Jjr2cgMJUtg4Fr15G4z0mQRCyMra1/MSi+b4m9gUJbeedRbONSr2IBCoRgm08
4njQqZiFZ+QGA0nwt5mlm76g74wG4uzqDVTqgWpVwgAAB/shJUmUcXvpO7LZWL7j
S6mKUL+n+ipXsQt1Ec9P
=A8kD
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
