Advisories » MGASA-2024-0238

Updated python-authlib packages fix security vulnerability

Publication date: 25 Jun 2024
Modification date: 25 Jun 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-37568

Description

Authlib before 1.3.1 has algorithm confusion with asymmetric public
keys. Unless an algorithm is specified in a jwt.decode call, HMAC
verification is allowed with any asymmetric public key. (This is similar
to CVE-2022-29217 and CVE-2024-33663.)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33315
• https://lists.suse.com/pipermail/sle-updates/2024-June/035616.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37568

SRPMS

9/core

• python-authlib-1.3.1-1.mga9