Register | Log in

joserfc

Python library for JSON Object Signing and Encryption (JOSE)

Choose email to subscribe with

general

source: joserfc (main)
version: 1.7.1-1
maintainer: Debian Python Team (DMD)
uploaders: Edward Betts [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 1.1.0-1
testing: 1.7.1-1
unstable: 1.7.1-1

versioned links

1.1.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.7.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-joserfc

action needed

2 security issues in trixie high

There are 2 open security issues in trixie.

1 important issue:

CVE-2026-27932: joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service (DoS) via CPU exhaustion. When the library decrypts a JSON Web Encryption (JWE) token using Password-Based Encryption (PBES2) algorithms, it reads the p2c (PBES2 Count) parameter directly from the token's protected header. This parameter defines the number of iterations for the PBKDF2 key derivation function. Because joserfc does not validate or bound this value, an attacker can specify an extremely large iteration count (e.g., 2^31 - 1), forcing the server to expend massive CPU resources processing a single token. This vulnerability exists at the JWA layer and impacts all high-level JWE and JWT decryption interfaces if PBES2 algorithms are allowed by the application's policy.

1 issue left for the package maintainer to handle:

CVE-2026-48990: (needs triaging) joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead to resource exhaustion. The normal JWS compact and flattened JSON paths reject payloads above the configured payload-size limit with ExceededSizeError. The RFC7797 unencoded payload paths do not make the same check. A valid b64=false compact or flattened JSON JWS can therefore deserialize successfully with a payload larger than JWSRegistry.max_payload_length. Applications that accept lower-trust JWS values and rely on joserfc to reject oversized token content during verification have a moderate availability risk. This issue has been fixed in version 1.6.7.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-03-04 Last update: 2026-06-18 13:32

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2026-01-01 Last update: 2026-04-16 11:47

news

[2026-06-16] joserfc 1.7.1-1 MIGRATED to testing (Debian testing watch)
[2026-06-12] Accepted joserfc 1.7.1-1 (source) into unstable (Edward Betts)
[2026-06-09] joserfc 1.7.0-1 MIGRATED to testing (Debian testing watch)
[2026-06-04] Accepted joserfc 1.7.0-1 (source) into unstable (Edward Betts)
[2026-05-30] joserfc 1.6.8-1 MIGRATED to testing (Debian testing watch)
[2026-05-27] Accepted joserfc 1.6.8-1 (source) into unstable (Edward Betts)
[2026-05-22] joserfc 1.6.5-1 MIGRATED to testing (Debian testing watch)
[2026-05-06] Accepted joserfc 1.6.5-1 (source) into unstable (Edward Betts)
[2026-04-18] joserfc 1.6.4-1 MIGRATED to testing (Debian testing watch)
[2026-04-15] Accepted joserfc 1.6.4-1 (source) into unstable (Edward Betts)
[2026-03-03] joserfc 1.6.3-1 MIGRATED to testing (Debian testing watch)
[2026-03-01] Accepted joserfc 1.6.3-1 (source) into unstable (Edward Betts)
[2026-02-20] joserfc 1.6.2-1 MIGRATED to testing (Debian testing watch)
[2026-02-17] Accepted joserfc 1.6.2-1 (source) into unstable (Edward Betts)
[2026-01-03] joserfc 1.6.1-1 MIGRATED to testing (Debian testing watch)
[2025-12-31] Accepted joserfc 1.6.1-1 (source) into unstable (Edward Betts)
[2025-12-18] joserfc 1.6.0-1 MIGRATED to testing (Debian testing watch)
[2025-12-15] Accepted joserfc 1.6.0-1 (source) into unstable (Edward Betts)
[2025-12-05] joserfc 1.5.0-1 MIGRATED to testing (Debian testing watch)
[2025-12-03] Accepted joserfc 1.5.0-1 (source) into unstable (Edward Betts)
[2025-11-22] joserfc 1.4.3-1 MIGRATED to testing (Debian testing watch)
[2025-11-19] Accepted joserfc 1.4.3-1 (source) into unstable (Edward Betts)
[2025-11-09] joserfc 1.4.1-1 MIGRATED to testing (Debian testing watch)
[2025-11-07] Accepted joserfc 1.4.1-1 (source) into unstable (Edward Betts)
[2025-10-12] joserfc 1.4.0-1 MIGRATED to testing (Debian testing watch)
[2025-10-10] Accepted joserfc 1.4.0-1 (source) into unstable (Edward Betts)
[2025-09-26] joserfc 1.3.4-1 MIGRATED to testing (Debian testing watch)
[2025-09-24] Accepted joserfc 1.3.4-1 (source) into unstable (Edward Betts)
[2025-09-10] joserfc 1.3.2-1 MIGRATED to testing (Debian testing watch)
[2025-09-06] Accepted joserfc 1.3.2-1 (source) into unstable (Edward Betts)

1
2

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
l10n (-, 31)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.7.1-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing