python3-jwt (2.3.0-1ubuntu0.1) contains pyjwt 2.4.0 metadata but install 2.3.0 library
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyjwt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The security update version of this package contains the metadata for PyJWT 2.4.0, not 2.3.0 that it installs. This doesn't happen in the 2.3.0-1 package.
# dpkg -L python3-jwt
/.
/usr
/usr/lib
/usr/lib/python3
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/share
/usr/share/doc
/usr/share/
/usr/share/
/usr/share/
/usr/share/
/usr/share/
# dpkg -s python3-jwt
Package: python3-jwt
Status: install ok installed
Priority: optional
Section: python
Installed-Size: 82
Maintainer: Ubuntu Developers <email address hidden>
Architecture: all
Source: pyjwt
Version: 2.3.0-1ubuntu0.1
Depends: python3:any
Recommends: python3-
Suggests: python3-crypto
Description: Python 3 implementation of JSON Web Token
PyJWT implements the JSON Web Token draft 01, a way of representing
signed content using JSON data structures.
.
Supported algorithms for cryptographic signing:
.
* HS256 - HMAC using SHA-256 hash algorithm (default)
* HS384 - HMAC using SHA-384 hash algorithm
* HS512 - HMAC using SHA-512 hash algorithm
* RS256 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash
algorithm
* RS384 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash
algorithm
* RS512 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash
algorithm
.
Supported reserved claim names:
- "exp" (Expiration Time) Claim
.
This package contains the Python 3 version of the library.
Homepage: https:/
Original-
Thanks for taking the time to report this bug and trying to make Ubuntu better.
You are right, in the latest security fix the patch includes the following:
```
--- a/jwt/__init__.py
+++ b/jwt/__init__.py
@@ -25,7 +25,7 @@
)
from .jwks_client import PyJWKClient
-__version__ = "2.3.0"
+__version__ = "2.4.0"
__title__ = "PyJWT"
```
Which bumps the version to 2.4.0. This is a security update regression, I believe we should have skipped this part to avoid bumping the version and backporting just the relevant part for the CVE fix. I am subscribing the security-team to see how can we sort this out.