Bug 2207679 - CVE-2022-29217 python-adal: python-jwt: Key confusion through non-blocklisted public key formats [epel-7]
Summary: CVE-2022-29217 python-adal: python-jwt: Key confusion through non-blocklisted...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Deadline: 2022-11-09
Product: Fedora EPEL
Classification: Fedora
Component: python-jwt
Version: epel8
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Fedora Infrastructure SIG
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: component:python-adal
Depends On:
Blocks: CVE-2022-29217 2095895
TreeView+ depends on / blocked
 
Reported: 2023-05-16 13:35 UTC by Nizamudeen
Modified: 2023-06-02 01:54 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 2095895
Environment:
Last Closed: 2023-06-02 01:53:06 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Comment 1 Carl George 🤠 2023-06-02 01:53:06 UTC 
In EPEL 9, python-jwt is at version 2.4.0, which includes the fix for this CVE.

python-jwt isn't in EPEL 8 because it is in RHEL 8 at version 1.6.1.  RHEL maintainers decided not to fix the CVE there.

In EPEL 7, python-jwt is at version 1.5.3.  It is affected by this CVE, but if paid RHEL maintainers didn't think it was important enough to fix in RHEL 8 (which is still in Full Support phase), then I don't think it's justified for volunteer maintainers to try to fix this in EPEL 7.  If someone wants to propose a backport to fix this, I'd be happy to re-open this bug and revisit this.
Note You need to log in before you can comment on or make changes to this bug.