| Name | TEMP-0781640-F16931 |
| Description | Signature Bypass in several JSON Web Token Libraries |
| Source | Automatically generated temporary name. Not for external reference. |
| Debian Bugs | 781640 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| pyjwt (PTS) | jessie, jessie (lts) | 0.2.1-1+deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 1.4.2-1+deb9u1 | fixed |
| buster | 1.7.0-2 | fixed |
| bullseye | 1.7.1-2 | fixed |
| bookworm | 2.6.0-1 | fixed |
| sid, trixie | 2.7.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| pyjwt | source | jessie | 0.2.1-1+deb8u1 | | | |
| pyjwt | source | (unstable) | 1.3.0-1 | | | 781640 |
Notes
Added workaround item to reflect entry fixed status, remove once CVE assigned
CVE Request: https://www.openwall.com/lists/oss-security/2015/04/01/4
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
ruby-jwt not directly affected, see https://github.com/jwt/ruby-jwt/issues/76