Re: pyjwt CVE-2022-29217 and stretch
Hi Enrico,
please pay attention that marking the CVE as no-dsa for LTS release
means that it still needs to be fixed!
We do not have point releases for o-o-stable so this state can just postpone
the upload, but it still needs to be fixed somehow.
If you feel that the patch is too destructive or something similar
that preserves
a fix for this particular CVE, so the <ignored> tag is more appropriate with
corresponding comment.
Best regards
Anton
Am Fr., 10. Juni 2022 um 12:24 Uhr schrieb Enrico Zini <enrico@enricozini.org>:
>
> Hello,
>
> I've been looking and pyjwt and CVE-2022-29217 for stretch.
>
> In theory, the CVE does not apply, because pyjwt < 2.0.0 (stretch has
> 1.4.2) does not support ed25519, which is the algorithm that uses
> the specific PEM header that pygwt was failing to blocklist.
>
> However, the patch at https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc#diff-e952a2551c16d8c3865536b2bffb440e37f64fce6c4e23266f8722e1a48e8f19L564
> still introduces a stricter blocklisting of key material for the HMAC
> algorithm (line 188).
>
> I could either mark CVE-2022-29217 as no-dsa for stretch or, if we
> consider the stricter blocklisting worthwhile, prepare a DLA with only
> that part of the patch.
>
> https://security-tracker.debian.org/tracker/CVE-2022-29217 does consider
> the issue as minor, and I would agree, so my call would be to mark this
> as no-dsa.
>
> Let me know if you'd like me to still backport the applicable parts of
> the patch, otherwise I'll mark this as no-dsa in a few days.
>
>
> Enrico
>
> --
> GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Reply to: