On 11 April 2015 at 13:37, Daniele Tricoli <er...@mornie.org> wrote: > On Thursday 09 April 2015 09:19:03 Thomas Goirand wrote: > > If the package isn't vulnerable, shouldn't this bug report be closed? If > > that's the case, then I'll let you close it. In the mean while, I'll > > downgrade the severity to normal, in order to not remove the package > > (and its rev-dependencies) from testing. >
However, the package is vulnerable to the other issue: - If the secretKey was expected to be a RSA public key, but the attacker changed the header to indicate a signature algorithm of HMAC, the RSA public key would be used as the signing secret. I think it is important that this issue is corrected in jessie.
