1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3293-1] pyjwt security update

    From Alessandro Ghedini@1:229/2 to All on Sat Jun 20 15:40:02 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3293-1 [email protected] https://www.debian.org/security/ Alessandro Ghedini
    June 20, 2015 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : pyjwt
    Debian Bug : 781640

    Tim McLean discovered that pyjwt, a Python implementation of JSON Web
    Token, would try to verify an HMAC signature using an RSA or ECDSA public
    key as secret. This could allow remote attackers to trick applications expecting tokens signed with asymmetric keys, into accepting arbitrary
    tokens. For more information see: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

    For the stable distribution (jessie), this problem has been fixed in
    version 0.2.1-1+deb8u1.

    For the unstable distribution (sid), this problem will be fixed soon.

    We recommend that you upgrade your pyjwt packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJVhWykAAoJEK+lG9bN5XPLpg8P/0GeeATVVK2WAj4w2b73H96q R/sdb7tJ/7c059UVdDK7vONadXCtXooHcjzgB1ovoPeEc6TMTkNKg8+i4OqoVFta evPOFzYIyv1VFLp3hLjHW/wBMrehlePs75nu/RmAjo5i+cOmxdR/cRlG8fB5gjxu 9dsSH04fwzOAgOtNvaOSTVypRlZtgmKfydPp6an30WyqzhNK0+TzRnD2ZimkUPqK LJe8aL2cBf4oiSlgUJYL1QF4/KSF9DRFU0TIfju7N9Z+XnSfMrBb4dPF+361Bswa hBn8+ZaCKZdFTDrlGc9zGC16x7IDAtjh33gNdogJODkBK+zhctyVI5jkWILXcvOW pw+eCojBvPdHTP2vZzfkQX8CeMC/GJmqKuO6RZrNAXaL4c8ra1pZ07ZY/g8hyXnH nEPm3O2DyARatJqkrfuCq2eJ8z+9twZbQDc7iYmXYAEA2bV9p1B58Pys6XuUyNoZ FoJ4cBunuQzSHUgBk6cw+OQvYR74Y95QKUUH4XEsaoLQwGrK4ZKvgYQs4WSYTNEP 0+Q8nSadOazkxyNCjfkuPPhBMHA/eNGtD8b95toFfbpxhYOF+Er613FzXXCH+n7u Hkf6Wthm+7nxDiJ9Wcas+Kdas/mR49DrKx8tV5KWW626ZTWShwATU4TSlY0jGkrq VaL+u11Sk3pYImakNCLr
    =U6Rt
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)