On Saturday 11 April 2015 14:50:19 Luke Faraone wrote: > However, the package is vulnerable to the other issue: > > - If the secretKey was expected to be a RSA public key, but the attacker > changed the header to indicate a signature algorithm of HMAC, the RSA > public key would be used as the signing secret.
Thanks for the details, I initially thought the bug was only one. For this don't we should backport only the following patch? https://github.com/jpadilla/pyjwt/commit/6a84d73f5a48488d3daf554a69500c3f42bb464d > I think it is important that this issue is corrected in jessie. Definitely, I will work on it today or tomorrow. Kind regards, -- Daniele Tricoli 'Eriol' http://mornie.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
