[SECURITY] Version 1.2.4 is effected by CVE-2024-23342 in edcsa

[kartikye]

https://nvd.nist.gov/vuln/detail/CVE-2024-23342

[robert-mings]

Hey @kartikye, we're on it and are exploring a different cryptographic backend or a new package altogether.

Keep an eye out for updates.

[r-thomson]

edcsa is being brought in by python-jose, which has not had a release since 2021. Most of the Python ecosystem seems to have moved to pyjwt.

[geekkun]

1.2.5 is also affected :(

[3point14guy]

Any updates on this. python-jose is now failing pip audits for these two:
https://github.com/advisories?query=GHSA-6c5p-j8vq-pqhj
https://github.com/advisories?query=GHSA-cjwg-qfpm-7377

[Natim]

We now have two alternates #48 and #49

[yahel2410]

Any update on this matter? this CVE affects a lot of our services' score.

[robert-mings]

Hi @kartikye, @r-thomson, @geekkun, @3point14guy, @Natim @yahel2410 - v1.2.6 solves this by moving to pyjwt and is now available. Please update as soon as possible. Thanks!