-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 28 Feb 2026 03:41:12 +0100 Source: python-authlib Architecture: source Version: 1.2.0-1+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian Python Team Changed-By: Daniel Leidert Changes: python-authlib (1.2.0-1+deb12u1) bookworm; urgency=medium . * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2025-68158.patch: Add patch to fix CVE-2025-68158. - The cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state. * d/patches/CVE-2025-62706.patch: Add patch to fix CVE-2025-62706. - Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression which can lead to a DoS. * d/patches/CVE-2025-61920.patch: Add patch to fix CVE-2025-61920. - Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments which can lead to a DoS during verification. * d/patches/CVE-2025-59420.patch: Add patch to fix CVE-2025-59420. - Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. * d/patches/CVE-2024-37568.patch: Add patch to fix CVE-2024-37568. - Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. * debian/tests/control, debian/tests/unittests3: Enable client and jose tests. Checksums-Sha1: 0faf6524cb72f1dc873b0852544faeab96bbb805 2696 python-authlib_1.2.0-1+deb12u1.dsc 0df1f58faf6ac1a4429c111350eda2ffb4cf2cfd 307961 python-authlib_1.2.0.orig.tar.gz 42b14dbb4a45cdb19cae255296e4d19494163d55 11528 python-authlib_1.2.0-1+deb12u1.debian.tar.xz 85a00ab8db517fe5c6b2771af64e85551fbd8014 9413 python-authlib_1.2.0-1+deb12u1_amd64.buildinfo Checksums-Sha256: 5621a91b5e5ba0da2f7c13aee3143d27754d521a579d601d29ae544be4d10889 2696 python-authlib_1.2.0-1+deb12u1.dsc 049a3850f3c6d0dfa1b9cdcc6527aac7bcc7b1813c6829c6351dacf30c9975e4 307961 python-authlib_1.2.0.orig.tar.gz d6a1149915e24c06c8423d2d19a42402c8fa616c5bcd1446e267d0ea49fefd7e 11528 python-authlib_1.2.0-1+deb12u1.debian.tar.xz 43d90ff135847fdd35929f4983d7de7f9af8ce5ddb0074de026c2b7391cd6e7e 9413 python-authlib_1.2.0-1+deb12u1_amd64.buildinfo Files: 386c5a907c66484bc3b199d9f11f4fed 2696 python optional python-authlib_1.2.0-1+deb12u1.dsc 14c0b905db007442c1acee1bac3f0f1d 307961 python optional python-authlib_1.2.0.orig.tar.gz 0ef5e75a69f60bdd029e2d56423c87d7 11528 python optional python-authlib_1.2.0-1+deb12u1.debian.tar.xz 6e3e377b3d4dba415cf0fa235aec187b 9413 python optional python-authlib_1.2.0-1+deb12u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmnRm8wACgkQS80FZ8KW 0F0yDw/+KAKG6qG4JERnM0qybz0Uh2Wt4k5h2HMF/DWgpWgTpZId9KgfxeGyhRy9 pD8E5nNS0D0uXGfG2zJAS3LFpQnexIC/tg6RD71i9cAcIeK1Zc85qpCBldtfOCmx bZKwScJSPDj+UMhbgrnYTdAttgP81oATLSOnWxs+h/gIBHPLPgSD898NVvbHqjRu mbBFfRPVK/xXse1M3XgsOni0C/LzWOvea3YJvkY1P1C+WXkrtaSP3enrA0/JKrXV pzPd9pN0zi9Iz+ygY61wl39dLLtIuUN4nWcnCuh6yj+ebMr3L9JdbLnYFFgm3USG yYQirBxVmClzRJD/HrN3s9GL1KMmwtUxGt1fSO7jArn2qubTUPw15+Lrq7Ljtoje HkqfHbdzDY7kqm2sleGT/95wfv/k2emFvXHMPs81bCAsOcw5wFVLlG2oeQx/oWbi kdeJEKneexCHfRI624hzO6xzZEHziHOca8csB451ItAI/lGJidiVGUnd9UxBwh7g nxCzsJBbMGCeC8PnGODOb7bgw+TqUQmUlTsJQDtPsOKOiBeQL0jJw3S3zEMOxwwm 0GEUC5by37iC4BcR6cUd212o77gh0Qi7tNwBWY5IsCrObHLKBQkoxhn1LyYYFnG8 HgiyW9Pnm2mr4v/rsUrKHrqW7E8KzDTAlc3W5i+aqI8kiQPlrow= =tGvV -----END PGP SIGNATURE-----