Below issue was reported: If the secretKey was expected to be a RSA public key, but the attacker changed the header to indicate a signature algorithm of HMAC, the RSA public key would be used as the signing secret. Upstream fix: https://github.com/davedoesdev/python-jwt/commit/5ddb71b2ed5785c329b761e45a246996a1dd9cab CVE request: http://seclists.org/oss-sec/2015/q2/3
Created python-jwt tracking bugs for this issue: Affects: fedora-all [bug 1231174]
python-jwt-1.3.0-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
python-jwt-1.3.0-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.