Bug 2207679

Summary: CVE-2022-29217 python-adal: python-jwt: Key confusion through non-blocklisted public key formats [epel-7]
Product: [Fedora] Fedora EPEL Reporter: Nizamudeen <nia>
Component: python-jwtAssignee: Fedora Infrastructure SIG <infra-sig>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel8CC: amctagga, aoconnor, bniver, carl, ceph-eng-bugs, flucifre, gmeno, infra-sig, kevin, mbenjamin, mhackett, sostapov, vereddy
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: component:python-adal
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2095895 Environment:
Last Closed: 2023-06-02 01:53:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2088544, 2095895    
Deadline: 2022-11-09   

Comment 1 Carl George 🤠 2023-06-02 01:53:06 UTC 
In EPEL 9, python-jwt is at version 2.4.0, which includes the fix for this CVE.

python-jwt isn't in EPEL 8 because it is in RHEL 8 at version 1.6.1.  RHEL maintainers decided not to fix the CVE there.

In EPEL 7, python-jwt is at version 1.5.3.  It is affected by this CVE, but if paid RHEL maintainers didn't think it was important enough to fix in RHEL 8 (which is still in Full Support phase), then I don't think it's justified for volunteer maintainers to try to fix this in EPEL 7.  If someone wants to propose a backport to fix this, I'd be happy to re-open this bug and revisit this.