From URL: ---- I found many libraries with critical vulnerabilities allowing attackers to bypass the verification step. ---- Upstream's advisory is a blog post with analysis: no concise explanations that are logical without the (long) context of the post. http://www.openwall.com/lists/oss-security/2015/04/01/4 https://github.com/jpadilla/pyjwt/commit/88a9fc56bdc6c870aa6af93bda401414a217db2a http://jwt.io/ There is no CVE for this bug as far as I can see, although CVE-2015-2951 is assigned to the PHP library. jwt.io says <1.0.1 is vulnerable. In our tree, we have: 0.2.1 (stable) (vulnerable) 1.3.0 (unstable) (invulnerable) Is 1.3.0 OK for stabilisation? Reproducible: Always
With the fast tracking of security status this looks fine. Arch teams please stabilise dev-python/pyjwt-1.3.0
Arm keyword was dropped: 30 May 2015; Maxim Koltsov <maksbotan@gentoo.org> +pyjwt-1.3.0.ebuild: 17 Bump to 1.3.0. Dropped arm keyword as dev-python/pytest-runner doesn't have it
amd64 stable
x86 stable
Arches, Thank you for your work. CVE Requested - http://seclists.org/oss-sec/2015/q2/3 Arm went non-stable for this version (see comment 2). Maintainer(s), please drop the vulnerable version(s). Security Please Vote. GLSA Vote: No
15 Jul 2015; Ian Delaney <idella4@gentoo.org> -pyjwt-0.2.1.ebuild, pyjwt-1.3.0.ebuild: drop old wrt bug #551556
Still pending a CVE. Need votes for GLSA.
GLSA Vote: No
GLSA vote: no