Security Information / 2015 / Security Information -- DSA-3293-1 pyjwt

Debian Security Advisory

DSA-3293-1 pyjwt -- security update

Date Reported:

20 Jun 2015

Affected Packages:

pyjwt

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 781640.

More information:

Tim McLean discovered that pyjwt, a Python implementation of JSON Web Token, would try to verify an HMAC signature using an RSA or ECDSA public key as secret. This could allow remote attackers to trick applications expecting tokens signed with asymmetric keys, into accepting arbitrary tokens. For more information see: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/.

For the stable distribution (jessie), this problem has been fixed in version 0.2.1-1+deb8u1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your pyjwt packages.