python-authlib (0.15.4-1+deb11u1) bullseye-security; urgency=medium

  * Non-maintainer upload by the Debian LTS team.
  * d/patches/CVE-2025-62706.patch: Add patch to fix CVE-2025-62706.
    - Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression
      which can lead to a DoS.
  * d/patches/CVE-2025-61920.patch: Add patch to fix CVE-2025-61920.
    - Authlib’s JOSE implementation accepts unbounded JWS/JWT header and
      signature segments which can lead to a DoS during verification.
  * d/patches/CVE-2025-59420.patch: Add patch to fix CVE-2025-59420.
    - Authlib’s JWS verification accepts tokens that declare unknown critical
      header parameters (crit), violating RFC 7515 “must‑understand” semantics.
      An attacker can craft a signed token with a critical header that strict
      verifiers reject but Authlib accepts. In mixed‑language fleets, this
      enables split‑brain verification and can lead to policy bypass, replay,
      or privilege escalation.
  * d/patches/CVE-2024-37568.patch: Add patch to fix CVE-2024-37568.
    - Unless an algorithm is specified in a jwt.decode call, HMAC verification
      is allowed with any asymmetric public key.

 -- Daniel Leidert <dleidert@debian.org>  Wed, 29 Oct 2025 02:57:06 +0100

python-authlib (0.15.4-1) unstable; urgency=medium

  * New upstream point release, fixing a security issue.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 07 Jul 2021 19:32:08 -0400

python-authlib (0.15.3-1) unstable; urgency=medium

  [ Stefano Rivera ]
  * New upstream release.
  * Bump Standards-Version to 4.5.1, no changes needed.
  * Bump copyright years.

  [ Debian Janitor ]
  * Set upstream metadata fields: Repository.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 20 Jan 2021 11:21:23 -0700

python-authlib (0.15.2-1) unstable; urgency=medium

  * New upstream release.
  * Add upstream metadata.

 -- Stefano Rivera <stefanor@debian.org>  Fri, 30 Oct 2020 11:56:19 -0700

python-authlib (0.15.1-1) unstable; urgency=medium

  * New upstream release.
  * Refresh patches.
  * Build-Depend on python3-itsdangerous for tests.
  * Drop Build-Depends for starelette test suite, not shipped in upstream
    source.
  * Run the 3 test suites separately, as upstream does. They fail otherwise.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 14 Oct 2020 21:16:12 -0700

python-authlib (0.14.3-2) unstable; urgency=medium

  * Upload to unstable.
  * Update Maintainer email for DPMT & PAPT merger.
  * Update Vcs URLs for DPMT & PAPT merger.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 23 Sep 2020 13:36:52 -0700

python-authlib (0.14.3-1) experimental; urgency=low

  * Initial Release (Closes: #968644)

 -- Stefano Rivera <stefanor@debian.org>  Wed, 19 Aug 2020 15:14:48 -0700