30485 – python-pyjwt new security issue CVE-2022-29217

Bug 30485 - python-pyjwt new security issue CVE-2022-29217

Summary: python-pyjwt new security issue CVE-2022-29217

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-05-27 13:25 CEST by David Walser
Modified:	2022-06-30 23:32 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	python-pyjwt-2.0.1-4.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-05-27 13:25:29 CEST

Fedora has issued an advisory today (May 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/

The issue is fixed upstream in 2.4.0:
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24

Mageia 8 is also affected.

David Walser 2022-05-27 13:26:16 CEST

Assignee: bugsquad => python
Status comment: (none) => Fixed upstream in 2.4.0
Whiteboard: (none) => MGA8TOO

Comment 1 papoteur 2022-06-20 12:10:05 CEST

New release is now built:
python3-pyjwt-2.4.0-1.mga8.noarch.rpm

Sources:
python-pyjwt-2.4.0-1.mga8.src.rpm

Assignee: python => qa-bugs
CC: (none) => yves.brungard_mageia
Status comment: Fixed upstream in 2.4.0 => (none)

Comment 2 papoteur 2022-06-20 12:12:59 CEST

This module is used by:
ceph-mgr
buildbot-master
python3-pygithub

papoteur 2022-06-20 12:13:24 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 Herman Viaene 2022-06-24 16:46:32 CEST

MGA8-64 Plasma on Acer Aspire 5253
No installation issues
Had a quick look at the packages using this, but this is all stuff deep into python development. Way over my head. And there isn't a previous update to refer to.
Is it acceptable to OK this on clean install???

CC: (none) => herman.viaene

Comment 4 David Walser 2022-06-24 16:59:31 CEST

That sounds reasonable.

Herman Viaene 2022-06-24 17:12:50 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 5 Dave Hodgins 2022-06-24 17:38:40 CEST

Yes, validate on clean update over the prior version.

CC: (none) => davidwhodgins

Comment 6 Thomas Andrews 2022-06-24 21:36:56 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-06-30 20:38:36 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-06-30 23:32:09 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0244.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.