ALAS2023-2023-076

Amazon Linux 2023 Security Advisory: ALAS2023-2023-076
Advisory Released Date: 2023-03-22
Advisory Updated Date: 2023-03-22

Severity: Medium

References: CVE-2022-29217
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A vulnerability was found in python-jwt. This issue happens when PyJWT supports multiple different JWT signing algorithms. This flaw allows an attacker submitting the JWT token to choose the used signing algorithm, leading to key confusion through non-blocklisted public key formats. (CVE-2022-29217)

Affected Packages:

python-jwt

Issue Correction:
Run dnf update python-jwt --releasever 2023.0.20230322 or dnf update --advisory ALAS2023-2023-076 --releasever 2023.0.20230322 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

noarch:
    python3-jwt+crypto-2.4.0-1.amzn2023.0.1.noarch
    python3-jwt-2.4.0-1.amzn2023.0.1.noarch

src:
    python-jwt-2.4.0-1.amzn2023.0.1.src

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2022-29217

Mitre: CVE-2022-29217