-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 02 Mar 2026 03:57:30 +0100 Source: python-authlib Architecture: source Version: 1.6.0-1+deb13u1 Distribution: trixie Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Daniel Leidert <dleidert@debian.org> Changes: python-authlib (1.6.0-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2025-68158.patch: Add patch to fix CVE-2025-68158. - The cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state. * d/patches/CVE-2025-62706.patch: Add patch to fix CVE-2025-62706. - Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression which can lead to a DoS. * d/patches/CVE-2025-61920.patch: Add patch to fix CVE-2025-61920. - Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments which can lead to a DoS during verification. * d/patches/CVE-2025-59420.patch: Add patch to fix CVE-2025-59420. - Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. Checksums-Sha1: 237108cf233cea517c347e6c9183b5264750ee48 3106 python-authlib_1.6.0-1+deb13u1.dsc c005da6a64e9356ce8c4c5234a18198bbb138e24 341039 python-authlib_1.6.0.orig.tar.gz 1c3f136108f6ab6a5ce15d721b251bba27cc47f3 11244 python-authlib_1.6.0-1+deb13u1.debian.tar.xz 69eb3f58d00fee2ea11513052043d88a890624bd 9388 python-authlib_1.6.0-1+deb13u1_amd64.buildinfo Checksums-Sha256: 4f8dd496696b2635247fbb9e55358222b941d6b988efd015bf290ff3a2e96a6d 3106 python-authlib_1.6.0-1+deb13u1.dsc 2dfc1275b287aa1324ac5c014766b8c79fb228c59d98c021750d86b6ec7e0904 341039 python-authlib_1.6.0.orig.tar.gz 4ea5a314c113494fa84c27b54bb518d7e424d5a7b9f2ff3b91af57d597f2c386 11244 python-authlib_1.6.0-1+deb13u1.debian.tar.xz aedcb3178a78dee0a0f3b4f84d7fe57c3a3ef28d40f16f735fe9eec533840575 9388 python-authlib_1.6.0-1+deb13u1_amd64.buildinfo Files: c4d11c6c6af3e77b98d4c27cc25b7012 3106 python optional python-authlib_1.6.0-1+deb13u1.dsc 116b7bd4d26ee11369e237a79fb0f3b8 341039 python optional python-authlib_1.6.0.orig.tar.gz 5c3470927d7f177e3de8c774f5e6c42f 11244 python optional python-authlib_1.6.0-1+deb13u1.debian.tar.xz 1e24b044d683a3cf2e04e3c85cc8313a 9388 python optional python-authlib_1.6.0-1+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmnM+RsACgkQS80FZ8KW 0F3N1xAAjn61HHjLMYH77YuPYG+kZ0Rq0UjsMPVsaMlzf7Ih5LwpmXuvZQroOizI t/7ByECxAX8KJPm5yt+bNmB4IY7+X5L06K23u+sAA+I4dMPbpx0csfsuiDB0nYz8 g5+5O/WcnOvCDvrMBN/OT36GkCyYHWVSrlpVGao4v77sC3XyICqlEZvTjat6AoXF rEGjHrLMNyVvMKuUjtxp+DJOqmdk65ZUzdZDiC3xWugoU3eVLpf0s/tpOfhgk2Kz kouWQlTtzolrOn6fgNgN5YfCpvPRqhk6lVkQEeiVMy+Jt4gdMY7FW/ZK0kb3rtr3 FL4vVagLJogpX1vz1F6NdHiCmfZGjxfNyqZVtDit0OnkAIQ+SJvvTElRDfAYgYJa rR3cp7h2lHeO0HT1qVrT+zTcPr+1efZA9Y1X86gEl6DnjoynqBSXLV93reV2kGMA Rf4QMNivwHjKlFaV+bsddlWx5bgC7DLUUBgnmCUyR5jcGA7Mxt3ieIUEGlWcMpSn 3U3Bw1OKcuKrnGOWgVqz2Tw6LTESAWzMmXy220vSXg3KMSd0DlTEDKixLP4UOSok pR8t1IHh2IGkbW7uW82q5WeCJGMRv0yEg6Uc0fWIdOVOZBfG6+h5SgFneDdcgwYT 8Udy8h9nK0BpH4IxDIslhM6uAFnmqqWuiBqA1H1/u5M06/T1Apw= =gCpe -----END PGP SIGNATURE-----
