Security update for python3-PyJWT SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2820-1 Final 1 1 2017-10-20T17:47:57Z current 2017-10-20T17:47:57Z 2017-10-20T17:47:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python3-PyJWT This update for python3-PyJWT fixes the following vulnerabilty: * CVE-2017-11424: Insufficient filtering of PEM encoding public keys allowed for creation of JWTs from scratch (boo#1054106, with duplicate CVE-2017-12880) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-10/msg00071.html E-Mail link for openSUSE-SU-2017:2820-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 python3-PyJWT-1.4.2-3.1 python3-PyJWT-1.4.2-3.1 as a component of openSUSE Leap 42.3 In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch. CVE-2017-11424 openSUSE Leap 42.3:python3-PyJWT-1.4.2-3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00071.html https://www.suse.com/security/cve/CVE-2017-11424.html CVE-2017-11424 https://bugzilla.suse.com/1054106 SUSE Bug 1054106 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-11424. Reason: This candidate is a duplicate of CVE-2017-11424. Notes: All CVE users should reference CVE-2017-11424 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2017-12880 openSUSE Leap 42.3:python3-PyJWT-1.4.2-3.1 moderate 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-10/msg00071.html https://www.suse.com/security/cve/CVE-2017-12880.html CVE-2017-12880 https://bugzilla.suse.com/1054106 SUSE Bug 1054106