Debian Security Advisory
DSA-3293-1 pyjwt -- security update
- Date Reported:
- 20 Jun 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 781640.
- More information:
Tim McLean discovered that pyjwt, a Python implementation of JSON Web Token, would try to verify an HMAC signature using an RSA or ECDSA public key as secret. This could allow remote attackers to trick applications expecting tokens signed with asymmetric keys, into accepting arbitrary tokens. For more information see: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/.
For the stable distribution (jessie), this problem has been fixed in version 0.2.1-1+deb8u1.
For the unstable distribution (sid), this problem will be fixed soon.
We recommend that you upgrade your pyjwt packages.