An update for python-jwt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2022-1710
Final
1.0
1.0
2022-06-17
Initial
2022-06-17
2022-06-17
openEuler SA Tool V1.0
2022-06-17
python-jwt security update
An update for python-jwt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.
PyJWT is a Python library which allows you to encode and decode JSON Web Tokens (JWT). \ JWT is an open, industry-standard (RFC 7519) for representing claims securely between two parties.
Security Fix(es):
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.(CVE-2022-29217)
An update for python-jwt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
python-jwt
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1710
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-29217
https://nvd.nist.gov/vuln/detail/CVE-2022-29217
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
python2-jwt-1.7.1-3.oe1.noarch.rpm
python3-jwt-1.7.1-3.oe1.noarch.rpm
python-jwt-help-1.7.1-3.oe1.noarch.rpm
python-jwt-help-1.7.1-3.oe1.noarch.rpm
python2-jwt-1.7.1-3.oe1.noarch.rpm
python3-jwt-1.7.1-3.oe1.noarch.rpm
python3-jwt-2.3.0-3.oe2203.noarch.rpm
python-jwt-help-2.3.0-3.oe2203.noarch.rpm
python-jwt-1.7.1-3.oe1.src.rpm
python-jwt-1.7.1-3.oe1.src.rpm
python-jwt-2.3.0-3.oe2203.src.rpm
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
2022-06-17
CVE-2022-29217
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
High
7.4
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
python-jwt security update
2022-06-17
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1710