Univention Bugzilla – Full Text Bug Listing |
Summary: | pyjwt: Multiple issues (4.1, 4.2) [office365] | ||
---|---|---|---|
Product: | UCS | Reporter: | Philipp Hahn <hahn> |
Component: | Office 365 | Assignee: | Daniel Tröder <troeder> |
Status: | CLOSED WORKSFORME | QA Contact: | Erik Damrose <damrose> |
Severity: | normal | ||
Priority: | P1 | CC: | best, mathieu.simon, requate, troeder |
Version: | UCS 4.2 | Flags: | hahn:
Patch_Available+
|
Target Milestone: | UCS 4.4-1-errata | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://security-tracker.debian.org/tracker/CVE-2017-11424 | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) | ||
Bug Depends on: | 46157 | ||
Bug Blocks: |
Description
Philipp Hahn
2018-05-08 12:13:31 CEST
(In reply to Philipp Hahn from comment #0) > Please do not copy arbitrary versions into our repositories in the future > and expect the security maintainers to track those versions without > contacting as in advance. The package was in Debian testing, at the time it was imported: https://tracker.debian.org/news/698182/pyjwt-130-1-migrated-to-testing/ Relevant for UCS 4.3 / 4.4? Hi Based on the output of apt-cache policy on UCS 4.4-1 I'd say that this issue is not affecting 4.3 and 4.4 anymore: # apt-cache policy python-jwt python-jwt: Installed: 1.4.2-1+deb9u1 Candidate: 1.4.2-1+deb9u1 Version table: *** 1.4.2-1+deb9u1 500 500 https://updates.software-univention.de/4.3/maintained 4.3-0/all/ Packages 100 /var/lib/dpkg/status 0.2.1-1+deb8u2 500 500 https://updates.software-univention.de/4.2/maintained 4.2-4/all/ Packages 0.2.1-1+deb8u1 500 500 https://updates.software-univention.de/4.2/maintained 4.2-0/all/ Packages Even 4.2-4 onwards contains a package version that the Debian security tracker lists as fixed. IMHO this issue could be closed as resolved. @Mathieu Simon: thank you for checking this. It is as he says: root@m150:~# univention-app info UCS: 4.4-1 errata186 Installed: [..] office365=2.6 [..] root@m150:~# dpkg -l python-jwt ii python-jwt 1.4.2-1+deb9u1 all root@m150:~# apt-cache policy python-jwt [same as in comment3] Verified, maintained UCS versions contain the package without the security issue. |