-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 28 Feb 2026 03:41:12 +0100 Source: python-authlib Binary: python-authlib-doc python3-authlib Architecture: all Version: 1.2.0-1+deb12u1 Distribution: bookworm Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) Changed-By: Daniel Leidert Description: python-authlib-doc - Python library for OAuth and OpenID Connect servers (docs) python3-authlib - Python library for OAuth and OpenID Connect servers Changes: python-authlib (1.2.0-1+deb12u1) bookworm; urgency=medium . * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2025-68158.patch: Add patch to fix CVE-2025-68158. - The cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state. * d/patches/CVE-2025-62706.patch: Add patch to fix CVE-2025-62706. - Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression which can lead to a DoS. * d/patches/CVE-2025-61920.patch: Add patch to fix CVE-2025-61920. - Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments which can lead to a DoS during verification. * d/patches/CVE-2025-59420.patch: Add patch to fix CVE-2025-59420. - Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. * d/patches/CVE-2024-37568.patch: Add patch to fix CVE-2024-37568. - Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. * debian/tests/control, debian/tests/unittests3: Enable client and jose tests. Checksums-Sha1: 047e16fffaf41b2d2c7a44b938446672dcac1f18 231012 python-authlib-doc_1.2.0-1+deb12u1_all.deb 7a488aed09d7d5e9a720a61c2e146f1cbbda7223 9082 python-authlib_1.2.0-1+deb12u1_all-buildd.buildinfo 287a9a4e05e26536dc50e0efeb96679616675174 118308 python3-authlib_1.2.0-1+deb12u1_all.deb Checksums-Sha256: c9d1feaac8cb5bccda8d30076b982e0c94359ca34bbb71421d4cd59ffcb8694b 231012 python-authlib-doc_1.2.0-1+deb12u1_all.deb 1d1801c97f03309ef4e10b18cba21636ebc6915100ddeda4c5bc2722060c7b51 9082 python-authlib_1.2.0-1+deb12u1_all-buildd.buildinfo 6290691c1f2e2ddc5b9b25acd87f318eb5d036445f09181e727553db1b4e2725 118308 python3-authlib_1.2.0-1+deb12u1_all.deb Files: f7ab429b66209ba0ae094e47a92af395 231012 doc optional python-authlib-doc_1.2.0-1+deb12u1_all.deb bb1a54ec3f2f0a2799b0d51d1af2b1bb 9082 python optional python-authlib_1.2.0-1+deb12u1_all-buildd.buildinfo 44d061d95d1fe4cf3acd67c1cfea32a2 118308 python optional python3-authlib_1.2.0-1+deb12u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5ZI1lXv5WjhHIVjsN8Ugyu9dQiQFAmn2d0cACgkQN8Ugyu9d QiQSLg//TgE3SaG2CuxcZQEUN439PtZc1Q2f/e3wi7BTbfzOIe/RN8E5ifJYFTno gdzYz1J+t7fkjV2aZIDHGOREcZMOxUAJDvjUyAAD5EGxMIySt0z37NU6KnPuSwJU JLEvclcD87wH7ZDUDDC/OFNeEgDmkmEaAW+YB406Ua5ceqyCvjl8VSg50ldAx0h+ /YmGxkYoWHk5uM6RGQZMPavMDC7WkwECuEuf6PpLWhM0+VSUI1RFQP+6Q38QEyfd gDZcnoKfxc3ENgCuwpJW5NtkCssqAChMb7b+ecijyHeNalWmgIE4cbHVhdvEIVx3 XvWScY23UBK7xTf8WgutjCUIQMvlSdF380dPZrR0+QvqhQa1J1lgWzpX5VZ+5PNQ 4gimZvXC294vTiFIL5kHKxae23FPVZMbqPtAUg9ToEw/sYyid30t//2LHKoePGyV LdESw2jKjFvLDoQqar+o0M+N4mFeL3ATNFlBf5OvGGqrWt4Mf7XUfTbtixM2uisM b+eUPJyKF582XCZZUtwFpAzLv8ropiI38ZrE/vFp4yd+gdJVi2TORVeFC8u6KVNS +o9uQ3XdNpf4URUZU9O44q7wwTfp/30qCju14f4Chlu4b4wen204n/xKdHo1U1xw yGFj7bELKlpdRmG03wy+REOHJJUdPLx9z0SeZCWcl5Vz5tEWfcE= =gaGu -----END PGP SIGNATURE-----