Hello, sorry for the delay and thanks Thomas: I had forgotten to subscribe to pyjwt : (
On Thursday 09 April 2015 09:19:03 Thomas Goirand wrote: > If the package isn't vulnerable, shouldn't this bug report be closed? If > that's the case, then I'll let you close it. In the mean while, I'll > downgrade the severity to normal, in order to not remove the package > (and its rev-dependencies) from testing. My plan is to package pyjwt 1.0.1 soon: it's not vulnerable since the fix mentioned by Luke was applied to 1.0.0. I'm leaving this open for now, but I agree with Thomas: 0.2.1 is not vulnerable to alg=”none” bug, so we can close this bug. Kind regards, -- Daniele Tricoli 'Eriol' http://mornie.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
