|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-33663: python-python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | IN_PROGRESS --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | camila.matos, mcepl, meissner |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/403209/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2024-33663:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-04-26 11:02:02 UTC
Upstream project looks a bit "unmaintained". There's also an old (May 2023) discussion about this in the fastapi github project [1], and other projects are replacing python-jose with pyJWT, it's something to consider. [1] https://github.com/tiangolo/fastapi/discussions/9587 PR created upstream: https://github.com/mpdavis/python-jose/pull/349 This is an autogenerated message for OBS integration: This bug (1223417) was mentioned in https://build.opensuse.org/request/show/1172135 Factory / python-python-jose This is an autogenerated message for OBS integration: This bug (1223417) was mentioned in https://build.opensuse.org/request/show/1172142 Backports:SLE-15-SP5 / python-python-jose openSUSE-SU-2024:0118-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1223417 CVE References: CVE-2024-33663 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): python-python-jose-3.0.1-bp155.3.3.1 |