Bug 30485

Summary: python-pyjwt new security issue CVE-2022-29217
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-pyjwt-2.0.1-4.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-05-27 13:25:29 CEST 
Fedora has issued an advisory today (May 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/

The issue is fixed upstream in 2.4.0:
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24

Mageia 8 is also affected.
David Walser 2022-05-27 13:26:16 CEST

Assignee: bugsquad => python
Status comment: (none) => Fixed upstream in 2.4.0
Whiteboard: (none) => MGA8TOO

Comment 1 papoteur 2022-06-20 12:10:05 CEST 
New release is now built:
python3-pyjwt-2.4.0-1.mga8.noarch.rpm

Sources:
python-pyjwt-2.4.0-1.mga8.src.rpm

Assignee: python => qa-bugs
CC: (none) => yves.brungard_mageia
Status comment: Fixed upstream in 2.4.0 => (none)

Comment 2 papoteur 2022-06-20 12:12:59 CEST 
This module is used by:
ceph-mgr
buildbot-master
python3-pygithub
papoteur 2022-06-20 12:13:24 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 Herman Viaene 2022-06-24 16:46:32 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
Had a quick look at the packages using this, but this is all stuff deep into python development. Way over my head. And there isn't a previous update to refer to.
Is it acceptable to OK this on clean install???

CC: (none) => herman.viaene

Comment 4 David Walser 2022-06-24 16:59:31 CEST 
That sounds reasonable.
Herman Viaene 2022-06-24 17:12:50 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 5 Dave Hodgins 2022-06-24 17:38:40 CEST 
Yes, validate on clean update over the prior version.

CC: (none) => davidwhodgins

Comment 6 Thomas Andrews 2022-06-24 21:36:56 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-06-30 20:38:36 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-06-30 23:32:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0244.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED