SUSE-SU-2021:2010-1: moderate: Security update for python-PyJWT

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Jun 18 10:20:25 UTC 2021 

   SUSE Security Update: Security update for python-PyJWT
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:2010-1
Rating:             moderate
References:         #1186173 
Cross-References:   CVE-2017-12880
CVSS scores:
                    CVE-2017-12880 (SUSE): 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Affected Products:
                    SUSE OpenStack Cloud 7
                    SUSE Linux Enterprise Module for Public Cloud 12
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for python-PyJWT fixes the following issues:

   python-JWT was updated to 1.5.3. (bsc#1186173)

   update to version 1.5.3:

     * Changed

       + Increase required version of the cryptography package to >=1.4.0.

     * Fixed

       + Remove uses of deprecated functions from the cryptography package.
       + Warn about missing algorithms param to decode() only when verify
         param is True #281


   update to version 1.5.2:

   - Ensure correct arguments order in decode super call [7c1e61d][7c1e61d]
   - Change optparse for argparse. [#238][238]
   - Guard against PKCS1 PEM encododed public keys [#277][277]
   - Add deprecation warning when decoding without specifying `algorithms`
     [#277][277]
   - Improve deprecation messages [#270][270]
   - PyJWT.decode: move verify param into options [#271][271]
   - Support for Python 3.6 [#262][262]
   - Expose jwt.InvalidAlgorithmError [#264][264]
   - Add support for ECDSA public keys in RFC 4253 (OpenSSH) format
     [#244][244]
   - Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the
     script clobbering the `jwt` module in some circumstances. [#187][187]
   - Better error messages when using an algorithm that requires the
     cryptography package, but it isn't available [#230][230]
   - Tokens with future 'iat' values are no longer rejected [#190][190]
   - Non-numeric 'iat' values now raise InvalidIssuedAtError instead of
     DecodeError
   - Remove rejection of future 'iat' claims [#252][252]
   - Add back 'ES512' for backward compatibility (for now) [#225][225]
   - Fix incorrectly named ECDSA algorithm [#219][219]
   - Fix rpm build [#196][196]
   - Add JWK support for HMAC and RSA keys [#202][202]


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2021-2010=1

   - SUSE Linux Enterprise Module for Public Cloud 12:

      zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2021-2010=1



Package List:

   - SUSE OpenStack Cloud 7 (noarch):

      python-PyJWT-1.5.3-3.13.1

   - SUSE Linux Enterprise Module for Public Cloud 12 (noarch):

      python-PyJWT-1.5.3-3.13.1
      python3-PyJWT-1.5.3-3.13.1


References:

   https://www.suse.com/security/cve/CVE-2017-12880.html
   https://bugzilla.suse.com/1186173

More information about the sle-security-updates mailing list