Accepted python-authlib 1.6.0-1+deb13u1 (source) into proposed-updates

Sun, 19 Apr 2026 12:03:41 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 02 Mar 2026 03:57:30 +0100
Source: python-authlib
Architecture: source
Version: 1.6.0-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Daniel Leidert <[email protected]>
Changes:
 python-authlib (1.6.0-1+deb13u1) trixie; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS team.
   * d/patches/CVE-2025-68158.patch: Add patch to fix CVE-2025-68158.
     - The cache-backed state/request-token storage is not tied to the
       initiating user session, so CSRF is possible for any attacker that has
       a valid state.
   * d/patches/CVE-2025-62706.patch: Add patch to fix CVE-2025-62706.
     - Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression
       which can lead to a DoS.
   * d/patches/CVE-2025-61920.patch: Add patch to fix CVE-2025-61920.
     - Authlib’s JOSE implementation accepts unbounded JWS/JWT header and
       signature segments which can lead to a DoS during verification.
   * d/patches/CVE-2025-59420.patch: Add patch to fix CVE-2025-59420.
     - Authlib’s JWS verification accepts tokens that declare unknown critical
       header parameters (crit), violating RFC 7515 “must‑understand” semantics.
       An attacker can craft a signed token with a critical header that strict
       verifiers reject but Authlib accepts. In mixed‑language fleets, this
       enables split‑brain verification and can lead to policy bypass, replay,
       or privilege escalation.
Checksums-Sha1:
 237108cf233cea517c347e6c9183b5264750ee48 3106 
python-authlib_1.6.0-1+deb13u1.dsc
 c005da6a64e9356ce8c4c5234a18198bbb138e24 341039 
python-authlib_1.6.0.orig.tar.gz
 1c3f136108f6ab6a5ce15d721b251bba27cc47f3 11244 
python-authlib_1.6.0-1+deb13u1.debian.tar.xz
 69eb3f58d00fee2ea11513052043d88a890624bd 9388 
python-authlib_1.6.0-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
 4f8dd496696b2635247fbb9e55358222b941d6b988efd015bf290ff3a2e96a6d 3106 
python-authlib_1.6.0-1+deb13u1.dsc
 2dfc1275b287aa1324ac5c014766b8c79fb228c59d98c021750d86b6ec7e0904 341039 
python-authlib_1.6.0.orig.tar.gz
 4ea5a314c113494fa84c27b54bb518d7e424d5a7b9f2ff3b91af57d597f2c386 11244 
python-authlib_1.6.0-1+deb13u1.debian.tar.xz
 aedcb3178a78dee0a0f3b4f84d7fe57c3a3ef28d40f16f735fe9eec533840575 9388 
python-authlib_1.6.0-1+deb13u1_amd64.buildinfo
Files:
 c4d11c6c6af3e77b98d4c27cc25b7012 3106 python optional 
python-authlib_1.6.0-1+deb13u1.dsc
 116b7bd4d26ee11369e237a79fb0f3b8 341039 python optional 
python-authlib_1.6.0.orig.tar.gz
 5c3470927d7f177e3de8c774f5e6c42f 11244 python optional 
python-authlib_1.6.0-1+deb13u1.debian.tar.xz
 1e24b044d683a3cf2e04e3c85cc8313a 9388 python optional 
python-authlib_1.6.0-1+deb13u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmnM+RsACgkQS80FZ8KW
0F3N1xAAjn61HHjLMYH77YuPYG+kZ0Rq0UjsMPVsaMlzf7Ih5LwpmXuvZQroOizI
t/7ByECxAX8KJPm5yt+bNmB4IY7+X5L06K23u+sAA+I4dMPbpx0csfsuiDB0nYz8
g5+5O/WcnOvCDvrMBN/OT36GkCyYHWVSrlpVGao4v77sC3XyICqlEZvTjat6AoXF
rEGjHrLMNyVvMKuUjtxp+DJOqmdk65ZUzdZDiC3xWugoU3eVLpf0s/tpOfhgk2Kz
kouWQlTtzolrOn6fgNgN5YfCpvPRqhk6lVkQEeiVMy+Jt4gdMY7FW/ZK0kb3rtr3
FL4vVagLJogpX1vz1F6NdHiCmfZGjxfNyqZVtDit0OnkAIQ+SJvvTElRDfAYgYJa
rR3cp7h2lHeO0HT1qVrT+zTcPr+1efZA9Y1X86gEl6DnjoynqBSXLV93reV2kGMA
Rf4QMNivwHjKlFaV+bsddlWx5bgC7DLUUBgnmCUyR5jcGA7Mxt3ieIUEGlWcMpSn
3U3Bw1OKcuKrnGOWgVqz2Tw6LTESAWzMmXy220vSXg3KMSd0DlTEDKixLP4UOSok
pR8t1IHh2IGkbW7uW82q5WeCJGMRv0yEg6Uc0fWIdOVOZBfG6+h5SgFneDdcgwYT
8Udy8h9nK0BpH4IxDIslhM6uAFnmqqWuiBqA1H1/u5M06/T1Apw=
=gCpe
-----END PGP SIGNATURE-----

Attachment: pgpJbB0NsRmpm.pgp
Description: PGP signature

Reply via email to