Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted python-authlib 0.15.4-1+deb11u2 (source) into oldoldstable-security
Date: Sun, 10 May 2026 03:30:15 +0000
Signed by: Emmanuel Arias <eamanu@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 09 May 2026 23:01:42 -0300
Source: python-authlib
Architecture: source
Version: 0.15.4-1+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Emmanuel Arias <eamanu@debian.org>
Changes:
 python-authlib (0.15.4-1+deb11u2) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * d/patches/CVE-2026-27962.patch: Fix authentication and authorization bypass
     vulnerability by embedding a crafted public key in the jwk header field
     when key=None is passed to JWS deserialization functions.
   * d/patches/CVE-2026-28490.patch:Authlib exposed distinguishable error
     responses between invalid PKCS#1 v1.5 padding and invalid AES-GCM tag,
     enabling Bleichenbacher-style attacks.
   * debian/patches/CVE-2026-28498.patch: Fix OIDC ID Token validation bypass in
     at_hash and c_hash verification. _verify_hash() silently returned True
     when create_half_hash() received an unknown algorithm, allowing forged ID
     Tokens to pass validation.
Checksums-Sha1:
 9632398dbf064ac8e61b3ff0ceecba4ee3bf4f82 2563 python-authlib_0.15.4-1+deb11u2.dsc
 fdabfcf15a594ee4a8be2b898a1e6670e1d750f2 11348 python-authlib_0.15.4-1+deb11u2.debian.tar.xz
 82b4e7661a4ddb14283bc619828ddb43ddc4a294 8967 python-authlib_0.15.4-1+deb11u2_amd64.buildinfo
Checksums-Sha256:
 0b89b733c641e802408ff7411c831ae1ef74f1c16cb5de3d6f821156e4cf58f9 2563 python-authlib_0.15.4-1+deb11u2.dsc
 72c9a9d2c1d2032d0b1f0b0db1e91e684b0834743ea17a66129ab311ef3fab8f 11348 python-authlib_0.15.4-1+deb11u2.debian.tar.xz
 de19443097a42b5f9401751f65c831aaa2927d5c254a9eda72d3d3002fd60855 8967 python-authlib_0.15.4-1+deb11u2_amd64.buildinfo
Files:
 fd109aec60b8d4d0350bfaf3b48cb1a6 2563 python optional python-authlib_0.15.4-1+deb11u2.dsc
 c708710d0a59ddcae6cd36165fa679bd 11348 python optional python-authlib_0.15.4-1+deb11u2.debian.tar.xz
 abaf40bb5cc9670e27bd078e1fbf3fb0 8967 python optional python-authlib_0.15.4-1+deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmn/99sSHGVhbWFudUBk
ZWJpYW4ub3JnAAoJEPqd7F3hHGPxH/AP/1RNTtB2QAA2YIHGjXGATjtVXuFqWyRz
GhbK9BcKGNqopiK7Znn4IsBk99etKmkgqu7sGUZjANpHPtZdf5ocxdIpl9g1O0jm
RUKaoTP+b6IYo+WuoPqPbsP1WaDiJn3gWKz9WaUOLClvHtHvAAehQCcxnnWgR/1t
CZt7jL9IUDgJ9cLgLeJTRAh2oeWdHE4qeYvX1u4QkKr5/RG/8Q3jm61gUfNByDNf
P7Ma9uwX3WQ67HOAqrAUjIqRJr4AmoblrrwbUyNAqGBC1zDyalzja8lUnfbTkIum
AdIH6nB3pa7SxZbJFxg7P1qycV43rygLegbLISHwlleduvCu8jOGdCA2XjTAdFsZ
nltfPkeuxl6MTf37bN4qYx3hsL8QjoXLYVnuTDRr8kAMjE15oZVaYJN9qXL9KtkK
4t5NjNf7/XH2vnHlJYyOM5AXAL2GZX6IhxIngO7Racm+RbpRgskN5IyAaMOzPCiX
eY2gtDTsAwae1Y9GyMr6+uTV8L5wRNQNV8Y9EOXCXRa99cTSvWjtURf4LGT2wcUJ
bq4Qrs9IB4GhiHS0mlEfTytk5dIZ+9tjCbsPBN44hBJXqN14W9KcMdne0nOm7TBO
VdOKedu1MSOJlyry1ET3eOvI81XV4pxTKQqWnZ64CIjkh3TigjmlZWSGk0bD2zZ5
6UMYjKsMk9h0
=BkVT
-----END PGP SIGNATURE-----

News for package python-authlib