SUSE-SU-2021:2010-1: moderate: Security update for python-PyJWT
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri Jun 18 10:20:25 UTC 2021
SUSE Security Update: Security update for python-PyJWT
______________________________________________________________________________
Announcement ID: SUSE-SU-2021:2010-1
Rating: moderate
References: #1186173
Cross-References: CVE-2017-12880
CVSS scores:
CVE-2017-12880 (SUSE): 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Affected Products:
SUSE OpenStack Cloud 7
SUSE Linux Enterprise Module for Public Cloud 12
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for python-PyJWT fixes the following issues:
python-JWT was updated to 1.5.3. (bsc#1186173)
update to version 1.5.3:
* Changed
+ Increase required version of the cryptography package to >=1.4.0.
* Fixed
+ Remove uses of deprecated functions from the cryptography package.
+ Warn about missing algorithms param to decode() only when verify
param is True #281
update to version 1.5.2:
- Ensure correct arguments order in decode super call [7c1e61d][7c1e61d]
- Change optparse for argparse. [#238][238]
- Guard against PKCS1 PEM encododed public keys [#277][277]
- Add deprecation warning when decoding without specifying `algorithms`
[#277][277]
- Improve deprecation messages [#270][270]
- PyJWT.decode: move verify param into options [#271][271]
- Support for Python 3.6 [#262][262]
- Expose jwt.InvalidAlgorithmError [#264][264]
- Add support for ECDSA public keys in RFC 4253 (OpenSSH) format
[#244][244]
- Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the
script clobbering the `jwt` module in some circumstances. [#187][187]
- Better error messages when using an algorithm that requires the
cryptography package, but it isn't available [#230][230]
- Tokens with future 'iat' values are no longer rejected [#190][190]
- Non-numeric 'iat' values now raise InvalidIssuedAtError instead of
DecodeError
- Remove rejection of future 'iat' claims [#252][252]
- Add back 'ES512' for backward compatibility (for now) [#225][225]
- Fix incorrectly named ECDSA algorithm [#219][219]
- Fix rpm build [#196][196]
- Add JWK support for HMAC and RSA keys [#202][202]
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2021-2010=1
- SUSE Linux Enterprise Module for Public Cloud 12:
zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2021-2010=1
Package List:
- SUSE OpenStack Cloud 7 (noarch):
python-PyJWT-1.5.3-3.13.1
- SUSE Linux Enterprise Module for Public Cloud 12 (noarch):
python-PyJWT-1.5.3-3.13.1
python3-PyJWT-1.5.3-3.13.1
References:
https://www.suse.com/security/cve/CVE-2017-12880.html
https://bugzilla.suse.com/1186173
More information about the sle-security-updates
mailing list