Sicherheit: Preisgabe von Informationen in python-PyJWT
Aktuelle Meldungen Distributionen
Name: Preisgabe von Informationen in python-PyJWT
ID: SUSE-SU-2021:2010-1
Distribution: SUSE
Plattformen: SUSE Linux Enterprise Module for Public Cloud 12, SUSE OpenStack Cloud 7
Datum: Fr, 18. Juni 2021, 19:10
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12880
Applikationen: python-PyJWT


SUSE Security Update: Security update for python-PyJWT

Announcement ID: SUSE-SU-2021:2010-1
Rating: moderate
References: #1186173
Cross-References: CVE-2017-12880
CVSS scores:
CVE-2017-12880 (SUSE): 8.2

Affected Products:
SUSE OpenStack Cloud 7
SUSE Linux Enterprise Module for Public Cloud 12

An update that fixes one vulnerability is now available.


This update for python-PyJWT fixes the following issues:

python-JWT was updated to 1.5.3. (bsc#1186173)

update to version 1.5.3:

* Changed

+ Increase required version of the cryptography package to >=1.4.0.

* Fixed

+ Remove uses of deprecated functions from the cryptography package.
+ Warn about missing algorithms param to decode() only when verify
param is True #281

update to version 1.5.2:

- Ensure correct arguments order in decode super call [7c1e61d][7c1e61d]
- Change optparse for argparse. [#238][238]
- Guard against PKCS1 PEM encododed public keys [#277][277]
- Add deprecation warning when decoding without specifying `algorithms`
- Improve deprecation messages [#270][270]
- PyJWT.decode: move verify param into options [#271][271]
- Support for Python 3.6 [#262][262]
- Expose jwt.InvalidAlgorithmError [#264][264]
- Add support for ECDSA public keys in RFC 4253 (OpenSSH) format
- Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the
script clobbering the `jwt` module in some circumstances. [#187][187]
- Better error messages when using an algorithm that requires the
cryptography package, but it isn't available [#230][230]
- Tokens with future 'iat' values are no longer rejected [#190][190]
- Non-numeric 'iat' values now raise InvalidIssuedAtError instead of
- Remove rejection of future 'iat' claims [#252][252]
- Add back 'ES512' for backward compatibility (for now) [#225][225]
- Fix incorrectly named ECDSA algorithm [#219][219]
- Fix rpm build [#196][196]
- Add JWK support for HMAC and RSA keys [#202][202]

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE OpenStack Cloud 7:

zypper in -t patch SUSE-OpenStack-Cloud-7-2021-2010=1

- SUSE Linux Enterprise Module for Public Cloud 12:

zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2021-2010=1

Package List:

- SUSE OpenStack Cloud 7 (noarch):


- SUSE Linux Enterprise Module for Public Cloud 12 (noarch):



Pro-Linux @Facebook
Neue Nachrichten