Univention Bugzilla – Bug 46976
pyjwt: Multiple issues (4.1, 4.2) [office365]
Last modified: 2019-08-09 11:36:14 CEST
The scope "office365" contains a vulnerable version of "pyjwt", which is neither from Debian-Stretch (9) nor Debian-Jessie (8): Version 0.2.1-1+deb8u2 Rev 123058 Date 2018-01-24 09:23:42 Release 4.2-0-0 Scope errata4.2-3 Version 1.3.0-1 Rev 77818 Date 2016-02-01 15:32:00 Release 4.1-0-0 Scope office365 Release 4.2-0-0 Scope office365 Version 1.4.2-1+deb9u1 Rev 109115 Date 2017-11-03 18:24:16 Release 4.3-0-0 According to <https://security-tracker.debian.org/tracker/CVE-2017-11424> it is vulnerable. A patch is linked at that page. Please fix the issue yourself or update to a maintained version. Please do not copy arbitrary versions into our repositories in the future and expect the security maintainers to track those versions without contacting as in advance. +++ This bug was initially created as a clone of Bug #46157 +++
(In reply to Philipp Hahn from comment #0) > Please do not copy arbitrary versions into our repositories in the future > and expect the security maintainers to track those versions without > contacting as in advance. The package was in Debian testing, at the time it was imported: https://tracker.debian.org/news/698182/pyjwt-130-1-migrated-to-testing/
Relevant for UCS 4.3 / 4.4?
Hi Based on the output of apt-cache policy on UCS 4.4-1 I'd say that this issue is not affecting 4.3 and 4.4 anymore: # apt-cache policy python-jwt python-jwt: Installed: 1.4.2-1+deb9u1 Candidate: 1.4.2-1+deb9u1 Version table: *** 1.4.2-1+deb9u1 500 500 https://updates.software-univention.de/4.3/maintained 4.3-0/all/ Packages 100 /var/lib/dpkg/status 0.2.1-1+deb8u2 500 500 https://updates.software-univention.de/4.2/maintained 4.2-4/all/ Packages 0.2.1-1+deb8u1 500 500 https://updates.software-univention.de/4.2/maintained 4.2-0/all/ Packages Even 4.2-4 onwards contains a package version that the Debian security tracker lists as fixed. IMHO this issue could be closed as resolved.
@Mathieu Simon: thank you for checking this. It is as he says: root@m150:~# univention-app info UCS: 4.4-1 errata186 Installed: [..] office365=2.6 [..] root@m150:~# dpkg -l python-jwt ii python-jwt 1.4.2-1+deb9u1 all root@m150:~# apt-cache policy python-jwt [same as in comment3]
Verified, maintained UCS versions contain the package without the security issue.