Hello, I've been looking and pyjwt and CVE-2022-29217 for stretch.
In theory, the CVE does not apply, because pyjwt < 2.0.0 (stretch has 1.4.2) does not support ed25519, which is the algorithm that uses the specific PEM header that pygwt was failing to blocklist. However, the patch at https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc#diff-e952a2551c16d8c3865536b2bffb440e37f64fce6c4e23266f8722e1a48e8f19L564 still introduces a stricter blocklisting of key material for the HMAC algorithm (line 188). I could either mark CVE-2022-29217 as no-dsa for stretch or, if we consider the stricter blocklisting worthwhile, prepare a DLA with only that part of the patch. https://security-tracker.debian.org/tracker/CVE-2022-29217 does consider the issue as minor, and I would agree, so my call would be to mark this as no-dsa. Let me know if you'd like me to still backport the applicable parts of the patch, otherwise I'll mark this as no-dsa in a few days. Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enr...@enricozini.org>
signature.asc
Description: PGP signature
