-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 29 Oct 2025 02:57:06 +0100 Source: python-authlib Architecture: source Version: 0.15.4-1+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Daniel Leidert <dleidert@debian.org> Changes: python-authlib (0.15.4-1+deb11u1) bullseye-security; urgency=medium . * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2025-62706.patch: Add patch to fix CVE-2025-62706. - Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression which can lead to a DoS. * d/patches/CVE-2025-61920.patch: Add patch to fix CVE-2025-61920. - Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments which can lead to a DoS during verification. * d/patches/CVE-2025-59420.patch: Add patch to fix CVE-2025-59420. - Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. * d/patches/CVE-2024-37568.patch: Add patch to fix CVE-2024-37568. - Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. Checksums-Sha1: b074b49afe53bd06e941cca302de251dfe33e3a1 2535 python-authlib_0.15.4-1+deb11u1.dsc 65f37ef02b1834b6858f014da8e3653687f82817 273443 python-authlib_0.15.4.orig.tar.gz 48c8a38a5e5d46f058162cbf21e6f041e50f8fd5 9724 python-authlib_0.15.4-1+deb11u1.debian.tar.xz 16bab875786eef9e9c7c5890939835352fdccdc6 9090 python-authlib_0.15.4-1+deb11u1_amd64.buildinfo Checksums-Sha256: c85564fc1f79276a872080da66f180448d10a17e1699bb679d19d6c65a754197 2535 python-authlib_0.15.4-1+deb11u1.dsc 9724a1ff0116a661213dc892e32af72c45ee2b3ee2c93edebc53a5f9dd94c50d 273443 python-authlib_0.15.4.orig.tar.gz 3c5488217857a7e395d77ef3fd1c7a373f5a8bd7c0818553aabd6435a458a9c4 9724 python-authlib_0.15.4-1+deb11u1.debian.tar.xz 49614e450ca657ed03a3a8aae6748034301ca479bf1f074173042e971525ecc8 9090 python-authlib_0.15.4-1+deb11u1_amd64.buildinfo Files: 94986942a745f7959dbc7ce50ad2da0b 2535 python optional python-authlib_0.15.4-1+deb11u1.dsc 9adc317946e60630a5e2859cab8d5a73 273443 python optional python-authlib_0.15.4.orig.tar.gz 09ed471ecd8714726f994c51764a9d65 9724 python optional python-authlib_0.15.4-1+deb11u1.debian.tar.xz fbc325cf57a7be95293e3a9ff52e22aa 9090 python optional python-authlib_0.15.4-1+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmkBeW0ACgkQS80FZ8KW 0F2tRRAAt/biprVqtSbD6XnzNiXeOZ+/OKQL/TzYT9tWArMkLqL6tv0Llq3yi4tK lmmuupQVpO02IomvuIl2Ie+45WsNtDq8IaHrA7PSL+OfBO8O6RD5uqvyjV3VUhn7 NuPV7WJ8zHUNPLN+NYy/Eu3kplfovXl4cS6OvSWBI+pbODtKpdJYCoLjTAzgOjgP N6yR1pO1MHI0afBf2REXtmI7VdU0BM7OzPyMfo3DcLzSMB97w4k/MhYjUOrCSdnc o7HtEcBYMqovs+N7Z9aMeQXYbO1aiSvrktfv4ET8o8FpTs2ifM7I4zAQN1nTiz6k gpBxBUKvY28pZ63+Wp+JofKx3oBJnZTKpga0lvH4Dm9qIct1FokQoEAYYEq9B+ZV ncoSFPRbmie4tlggXYfGVrp2RTDbozPEnozAK9oMY6AQSvQsOviApKVE1ROTjvlt L9bj/QNHPNaCQvcQWo8w7GOJXeZFkoePOj+Ts/01nes6VrCTvYtq1xIIM8G+7cmg ZA/pCkNJf2mmp73b7SFuNoc3dLa0lgK8HnU51KTEKUWo2dNAKHFZ/U3rdShfYTW9 XWbaV43pat3KeFylR7qUYdmdI4+o8Yo7uqe5V/aeOSHTM9tjdZhGAb/A/idKjH0a 79MDCN6ikUXMktb+0FN8HOexl+f27Sc8bXSfSGbDKD33y7YFdw8= =zOaY -----END PGP SIGNATURE-----
