Bug 46976 – pyjwt: Multiple issues (4.1, 4.2) [office365]

Bug 46976 - pyjwt: Multiple issues (4.1, 4.2) [office365]


Summary:	pyjwt: Multiple issues (4.1, 4.2) [office365]

Status:	CLOSED WORKSFORME

Product:	UCS
Classification:	Unclassified
Component:	Office 365
Version:	UCS 4.2
Hardware:	All Linux

Importance:	P1 normal (vote)
Target Milestone:	UCS 4.4-1-errata
Assigned To:	Daniel Tröder
QA Contact:	Erik Damrose

URL:	https://security-tracker.debian.org/t...
Keywords:

Depends on:	46157
Blocks:
	Show dependency tree / graph

Reported:	2018-05-08 12:13 CEST by Philipp Hahn
Modified:	2019-08-09 11:36 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Flags:	hahn: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2018-05-08 12:13:31 CEST

The scope "office365" contains a vulnerable version of "pyjwt", which is neither from Debian-Stretch (9) nor Debian-Jessie (8):

Version 0.2.1-1+deb8u2  Rev 123058      Date 2018-01-24 09:23:42
        Release 4.2-0-0 Scope errata4.2-3
Version 1.3.0-1 Rev 77818       Date 2016-02-01 15:32:00
        Release 4.1-0-0 Scope office365
        Release 4.2-0-0 Scope office365
Version 1.4.2-1+deb9u1  Rev 109115      Date 2017-11-03 18:24:16
        Release 4.3-0-0

According to <https://security-tracker.debian.org/tracker/CVE-2017-11424> it is vulnerable. A patch is linked at that page.

Please fix the issue yourself or update to a maintained version.

Please do not copy arbitrary versions into our repositories in the future and expect the security maintainers to track those versions without contacting as in advance.

+++ This bug was initially created as a clone of Bug #46157 +++

Comment 1 Daniel Tröder

2018-05-08 13:29:45 CEST

(In reply to Philipp Hahn from comment #0)
> Please do not copy arbitrary versions into our repositories in the future
> and expect the security maintainers to track those versions without
> contacting as in advance.
The package was in Debian testing, at the time it was imported: https://tracker.debian.org/news/698182/pyjwt-130-1-migrated-to-testing/

Comment 2 Florian Best

2019-04-24 15:14:05 CEST

Relevant for UCS 4.3 / 4.4?

Comment 3 Mathieu Simon 2019-08-08 16:08:25 CEST

Hi

Based on the output of apt-cache policy on UCS 4.4-1 I'd say that this issue is not affecting 4.3 and 4.4 anymore:

# apt-cache policy python-jwt
python-jwt:
  Installed: 1.4.2-1+deb9u1
  Candidate: 1.4.2-1+deb9u1
  Version table:
 *** 1.4.2-1+deb9u1 500
        500 https://updates.software-univention.de/4.3/maintained 4.3-0/all/ Packages
        100 /var/lib/dpkg/status
     0.2.1-1+deb8u2 500
        500 https://updates.software-univention.de/4.2/maintained 4.2-4/all/ Packages
     0.2.1-1+deb8u1 500
        500 https://updates.software-univention.de/4.2/maintained 4.2-0/all/ Packages

Even 4.2-4 onwards contains a package version that the Debian security tracker lists as fixed. IMHO this issue could be closed as resolved.

Comment 4 Daniel Tröder

2019-08-09 10:55:45 CEST

@Mathieu Simon: thank you for checking this.

It is as he says:

root@m150:~# univention-app info
UCS: 4.4-1 errata186
Installed: [..] office365=2.6 [..]

root@m150:~# dpkg -l python-jwt
ii  python-jwt                  1.4.2-1+deb9u1     all

root@m150:~# apt-cache policy python-jwt
[same as in comment3]

Comment 5 Erik Damrose

2019-08-09 11:36:08 CEST

Verified, maintained UCS versions contain the package without the security issue.