Bugzilla – Bug 1223417
VUL-0: CVE-2024-33663: python-python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats
Last modified: 2024-06-10 10:58:24 UTC
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-33663 https://www.cve.org/CVERecord?id=CVE-2024-33663 https://github.com/mpdavis/python-jose/issues/346 https://bugzilla.redhat.com/show_bug.cgi?id=2277297
Upstream project looks a bit "unmaintained". There's also an old (May 2023) discussion about this in the fastapi github project [1], and other projects are replacing python-jose with pyJWT, it's something to consider. [1] https://github.com/tiangolo/fastapi/discussions/9587
PR created upstream: https://github.com/mpdavis/python-jose/pull/349
This is an autogenerated message for OBS integration: This bug (1223417) was mentioned in https://build.opensuse.org/request/show/1172135 Factory / python-python-jose
This is an autogenerated message for OBS integration: This bug (1223417) was mentioned in https://build.opensuse.org/request/show/1172142 Backports:SLE-15-SP5 / python-python-jose
openSUSE-SU-2024:0118-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1223417 CVE References: CVE-2024-33663 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): python-python-jose-3.0.1-bp155.3.3.1