[Bug 1986487] Re: python3-jwt (2.3.0-1ubuntu0.1) contains pyjwt 2.4.0 metadata but install 2.3.0 library
Lucas Kanashiro
1986487 at bugs.launchpad.net
Tue Aug 16 18:31:40 UTC 2022
Thanks for taking the time to report this bug and trying to make Ubuntu
better.
You are right, in the latest security fix the patch includes the
following:
```
--- a/jwt/__init__.py
+++ b/jwt/__init__.py
@@ -25,7 +25,7 @@
)
from .jwks_client import PyJWKClient
-__version__ = "2.3.0"
+__version__ = "2.4.0"
__title__ = "PyJWT"
```
Which bumps the version to 2.4.0. This is a security update regression,
I believe we should have skipped this part to avoid bumping the version
and backporting just the relevant part for the CVE fix. I am subscribing
the security-team to see how can we sort this out.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to pyjwt in Ubuntu.
https://bugs.launchpad.net/bugs/1986487
Title:
python3-jwt (2.3.0-1ubuntu0.1) contains pyjwt 2.4.0 metadata but
install 2.3.0 library
Status in pyjwt package in Ubuntu:
New
Bug description:
The security update version of this package contains the metadata for
PyJWT 2.4.0, not 2.3.0 that it installs. This doesn't happen in the
2.3.0-1 package.
# dpkg -L python3-jwt
/.
/usr
/usr/lib
/usr/lib/python3
/usr/lib/python3/dist-packages
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info/PKG-INFO
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info/dependency_links.txt
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info/not-zip-safe
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info/requires.txt
/usr/lib/python3/dist-packages/PyJWT-2.4.0.egg-info/top_level.txt
/usr/lib/python3/dist-packages/jwt
/usr/lib/python3/dist-packages/jwt/__init__.py
/usr/lib/python3/dist-packages/jwt/algorithms.py
/usr/lib/python3/dist-packages/jwt/api_jwk.py
/usr/lib/python3/dist-packages/jwt/api_jws.py
/usr/lib/python3/dist-packages/jwt/api_jwt.py
/usr/lib/python3/dist-packages/jwt/exceptions.py
/usr/lib/python3/dist-packages/jwt/help.py
/usr/lib/python3/dist-packages/jwt/jwks_client.py
/usr/lib/python3/dist-packages/jwt/py.typed
/usr/lib/python3/dist-packages/jwt/utils.py
/usr/share
/usr/share/doc
/usr/share/doc/python3-jwt
/usr/share/doc/python3-jwt/NEWS.Debian.gz
/usr/share/doc/python3-jwt/README.rst
/usr/share/doc/python3-jwt/changelog.Debian.gz
/usr/share/doc/python3-jwt/copyright
# dpkg -s python3-jwt
Package: python3-jwt
Status: install ok installed
Priority: optional
Section: python
Installed-Size: 82
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Architecture: all
Source: pyjwt
Version: 2.3.0-1ubuntu0.1
Depends: python3:any
Recommends: python3-cryptography
Suggests: python3-crypto
Description: Python 3 implementation of JSON Web Token
PyJWT implements the JSON Web Token draft 01, a way of representing
signed content using JSON data structures.
.
Supported algorithms for cryptographic signing:
.
* HS256 - HMAC using SHA-256 hash algorithm (default)
* HS384 - HMAC using SHA-384 hash algorithm
* HS512 - HMAC using SHA-512 hash algorithm
* RS256 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash
algorithm
* RS384 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash
algorithm
* RS512 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash
algorithm
.
Supported reserved claim names:
- "exp" (Expiration Time) Claim
.
This package contains the Python 3 version of the library.
Homepage: https://github.com/jpadilla/pyjwt
Original-Maintainer: Debian Python Team <team+python at tracker.debian.org>
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pyjwt/+bug/1986487/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list