Описание
Security update for python3-PyJWT
This update for python3-PyJWT fixes the following vulnerabilty:
- CVE-2017-11424: Insufficient filtering of PEM encoding public keys allowed for creation of JWTs from scratch (boo#1054106, with duplicate CVE-2017-12880)
Список пакетов
openSUSE Leap 42.3
Ссылки
- E-Mail link for openSUSE-SU-2017:2820-1
- SUSE Security Ratings
Описание
In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.
Затронутые продукты
Ссылки
- CVE-2017-11424
- SUSE Bug 1054106
Описание
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-11424. Reason: This candidate is a duplicate of CVE-2017-11424. Notes: All CVE users should reference CVE-2017-11424 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Затронутые продукты
Ссылки
- CVE-2017-12880
- SUSE Bug 1054106