Register | Log in

joserfc

Python library for JSON Object Signing and Encryption (JOSE)

Choose email to subscribe with

general

source: joserfc (main)
version: 1.6.3-1
maintainer: Debian Python Team (DMD)
uploaders: Edward Betts [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 1.1.0-1
testing: 1.6.3-1
unstable: 1.6.3-1

versioned links

1.1.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-joserfc

action needed

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-27932: joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service (DoS) via CPU exhaustion. When the library decrypts a JSON Web Encryption (JWE) token using Password-Based Encryption (PBES2) algorithms, it reads the p2c (PBES2 Count) parameter directly from the token's protected header. This parameter defines the number of iterations for the PBKDF2 key derivation function. Because joserfc does not validate or bound this value, an attacker can specify an extremely large iteration count (e.g., 2^31 - 1), forcing the server to expend massive CPU resources processing a single token. This vulnerability exists at the JWA layer and impacts all high-level JWE and JWT decryption interfaces if PBES2 algorithms are allowed by the application's policy.

Created: 2026-03-04 Last update: 2026-03-04 12:30

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2026-01-01 Last update: 2026-01-01 11:33

news

[2026-03-03] joserfc 1.6.3-1 MIGRATED to testing (Debian testing watch)
[2026-03-01] Accepted joserfc 1.6.3-1 (source) into unstable (Edward Betts)
[2026-02-20] joserfc 1.6.2-1 MIGRATED to testing (Debian testing watch)
[2026-02-17] Accepted joserfc 1.6.2-1 (source) into unstable (Edward Betts)
[2026-01-03] joserfc 1.6.1-1 MIGRATED to testing (Debian testing watch)
[2025-12-31] Accepted joserfc 1.6.1-1 (source) into unstable (Edward Betts)
[2025-12-18] joserfc 1.6.0-1 MIGRATED to testing (Debian testing watch)
[2025-12-15] Accepted joserfc 1.6.0-1 (source) into unstable (Edward Betts)
[2025-12-05] joserfc 1.5.0-1 MIGRATED to testing (Debian testing watch)
[2025-12-03] Accepted joserfc 1.5.0-1 (source) into unstable (Edward Betts)
[2025-11-22] joserfc 1.4.3-1 MIGRATED to testing (Debian testing watch)
[2025-11-19] Accepted joserfc 1.4.3-1 (source) into unstable (Edward Betts)
[2025-11-09] joserfc 1.4.1-1 MIGRATED to testing (Debian testing watch)
[2025-11-07] Accepted joserfc 1.4.1-1 (source) into unstable (Edward Betts)
[2025-10-12] joserfc 1.4.0-1 MIGRATED to testing (Debian testing watch)
[2025-10-10] Accepted joserfc 1.4.0-1 (source) into unstable (Edward Betts)
[2025-09-26] joserfc 1.3.4-1 MIGRATED to testing (Debian testing watch)
[2025-09-24] Accepted joserfc 1.3.4-1 (source) into unstable (Edward Betts)
[2025-09-10] joserfc 1.3.2-1 MIGRATED to testing (Debian testing watch)
[2025-09-06] Accepted joserfc 1.3.2-1 (source) into unstable (Edward Betts)
[2025-09-01] joserfc 1.3.1-1 MIGRATED to testing (Debian testing watch)
[2025-08-28] Accepted joserfc 1.3.1-1 (source) into unstable (Edward Betts)
[2025-08-13] joserfc 1.2.2-1 MIGRATED to testing (Debian testing watch)
[2025-07-31] Accepted joserfc 1.2.2-1 (source) into unstable (Edward Betts)
[2025-07-09] Accepted joserfc 1.2.0-1 (source) into unstable (Edward Betts)
[2025-06-19] joserfc 1.1.0-1 MIGRATED to testing (Debian testing watch)
[2025-05-30] Accepted joserfc 1.1.0-1 (source) into unstable (Edward Betts)
[2025-03-09] joserfc 1.0.4-1 MIGRATED to testing (Debian testing watch)
[2025-03-06] Accepted joserfc 1.0.4-1 (source) into unstable (Edward Betts)
[2025-02-15] joserfc 1.0.3-1 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs
popcon
browse source code
edit tags
other distros
security tracker
l10n (-, 33)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.6.2-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing