python-jwcrypto - Debian Package Tracker

general

source: python-jwcrypto (main)
version: 1.5.6-1
maintainer: Debian FreeIPA Team (archive) (DMD)
uploaders: Timo Aaltonen [DMD]
arch: all
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.8.0-1
o-o-sec: 0.8.0-1+deb11u1
oldstable: 1.1.0-1+deb12u1
stable: 1.5.6-1
testing: 1.5.6-1
unstable: 1.5.6-1

versioned links

0.8.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8.0-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.0-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.5.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-jwcrypto

action needed

A new upstream version is available: 1.5.7 high

A new upstream version 1.5.7 is available, you should consider packaging it.

Created: 2026-04-07 Last update: 2026-04-27 20:00

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-39373: JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

Created: 2026-04-08 Last update: 2026-04-19 14:02

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-39373: JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

Created: 2026-04-08 Last update: 2026-04-19 14:02

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-39373: JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

Created: 2026-04-08 Last update: 2026-04-19 14:02

2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:

CVE-2026-39373: JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

1 issue left for the package maintainer to handle:

CVE-2023-6681: (needs triaging) A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.

You can find information about how to handle this issue in the security team's documentation.

Created: 2024-02-13 Last update: 2026-04-19 14:02

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-09-11 Last update: 2025-09-11 00:03

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.5.1).

Created: 2021-08-18 Last update: 2026-03-31 15:01

news

[rss feed]

[2024-09-09] Accepted python-jwcrypto 0.8.0-1+deb11u1 (source) into oldstable-security (Chris Lamb)
[2024-06-16] Accepted python-jwcrypto 1.1.0-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Steve McIntyre)
[2024-05-07] python-jwcrypto 1.5.6-1 MIGRATED to testing (Debian testing watch)
[2024-05-02] Accepted python-jwcrypto 1.5.6-1 (source) into unstable (Timo Aaltonen)
[2024-02-20] python-jwcrypto 1.5.4-1 MIGRATED to testing (Debian testing watch)
[2024-02-15] Accepted python-jwcrypto 1.5.4-1 (source) into unstable (Timo Aaltonen)
[2022-04-03] python-jwcrypto 1.1.0-1 MIGRATED to testing (Debian testing watch)
[2022-03-29] Accepted python-jwcrypto 1.1.0-1 (source) into unstable (Timo Aaltonen)
[2021-10-05] python-jwcrypto 1.0.0-2 MIGRATED to testing (Debian testing watch)
[2021-09-30] Accepted python-jwcrypto 1.0.0-2 (source) into unstable (Timo Aaltonen)
[2021-08-21] python-jwcrypto 1.0.0-1 MIGRATED to testing (Debian testing watch)
[2021-08-16] Accepted python-jwcrypto 1.0.0-1 (source) into unstable (Timo Aaltonen)
[2021-01-12] python-jwcrypto 0.8.0-1 MIGRATED to testing (Debian testing watch)
[2021-01-06] Accepted python-jwcrypto 0.8.0-1 (source) into unstable (Timo Aaltonen)
[2020-04-22] Accepted python-jwcrypto 0.6.0-2~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Mattia Rizzolo)
[2019-09-17] python-jwcrypto 0.6.0-2 MIGRATED to testing (Debian testing watch)
[2019-09-11] Accepted python-jwcrypto 0.6.0-2 (source) into unstable (Timo Aaltonen)
[2019-07-09] python-jwcrypto 0.6.0-1 MIGRATED to testing (Debian testing watch)
[2019-06-12] python-jwcrypto REMOVED from testing (Debian testing watch)
[2019-04-02] Accepted python-jwcrypto 0.6.0-1 (source) into unstable (Timo Aaltonen)
[2017-12-28] python-jwcrypto 0.4.2-1 MIGRATED to testing (Debian testing watch)
[2017-12-23] Accepted python-jwcrypto 0.4.2-1 (source) into unstable (Timo Aaltonen)
[2016-09-25] python-jwcrypto 0.3.2-1 MIGRATED to testing (Debian testing watch)
[2016-09-19] Accepted python-jwcrypto 0.3.2-1 (source) into unstable (Timo Aaltonen)
[2015-10-26] python-jwcrypto 0.2.1-1 MIGRATED to testing (Britney)
[2015-10-15] Accepted python-jwcrypto 0.2.1-1 (source all) into unstable, unstable (Timo Aaltonen)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.5.6-1