Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package python-authlib [ Reason ] Upstream made a security point release. No CVE. [ Impact ] Security vulnerability. [ Tests ] Added a unit test to cover the issue. Package builds and tests pass. [ Risks ] Tiny diff, looks good. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock python-authlib/0.15.4-1
diff -Nru python-authlib-0.15.3/authlib/consts.py python-authlib-0.15.4/authlib/consts.py --- python-authlib-0.15.3/authlib/consts.py 2021-01-15 09:51:55.000000000 -0400 +++ python-authlib-0.15.4/authlib/consts.py 2021-06-05 03:07:38.000000000 -0400 @@ -1,5 +1,5 @@ name = 'Authlib' -version = '0.15.3' +version = '0.15.4' author = 'Hsiaoming Yang <m...@lepture.com>' homepage = 'https://authlib.org/' default_user_agent = '{}/{} (+{})'.format(name, version, homepage) diff -Nru python-authlib-0.15.3/authlib/jose/rfc7519/claims.py python-authlib-0.15.4/authlib/jose/rfc7519/claims.py --- python-authlib-0.15.3/authlib/jose/rfc7519/claims.py 2021-01-15 09:51:55.000000000 -0400 +++ python-authlib-0.15.4/authlib/jose/rfc7519/claims.py 2021-06-05 03:07:38.000000000 -0400 @@ -58,10 +58,10 @@ def _validate_claim_value(self, claim_name): option = self.options.get(claim_name) - value = self.get(claim_name) - if not option or not value: + if not option: return + value = self.get(claim_name) option_value = option.get('value') if option_value and value != option_value: raise InvalidClaimError(claim_name) diff -Nru python-authlib-0.15.3/debian/changelog python-authlib-0.15.4/debian/changelog --- python-authlib-0.15.3/debian/changelog 2021-01-20 14:21:23.000000000 -0400 +++ python-authlib-0.15.4/debian/changelog 2021-07-07 19:32:08.000000000 -0400 @@ -1,3 +1,9 @@ +python-authlib (0.15.4-1) unstable; urgency=medium + + * New upstream point release, fixing a security issue. + + -- Stefano Rivera <stefa...@debian.org> Wed, 07 Jul 2021 19:32:08 -0400 + python-authlib (0.15.3-1) unstable; urgency=medium [ Stefano Rivera ] diff -Nru python-authlib-0.15.3/tests/core/test_jose/test_jwt.py python-authlib-0.15.4/tests/core/test_jose/test_jwt.py --- python-authlib-0.15.3/tests/core/test_jose/test_jwt.py 2021-01-15 09:51:55.000000000 -0400 +++ python-authlib-0.15.4/tests/core/test_jose/test_jwt.py 2021-06-05 03:07:38.000000000 -0400 @@ -73,6 +73,20 @@ claims.validate, ) + def test_validate_expected_issuer_received_None(self): + id_token = jwt.encode({'alg': 'HS256'}, {'iss': None, 'sub': None}, 'k') + claims_options = { + 'iss': { + 'essential': True, + 'values': ['foo'] + } + } + claims = jwt.decode(id_token, 'k', claims_options=claims_options) + self.assertRaises( + errors.InvalidClaimError, + claims.validate + ) + def test_validate_aud(self): id_token = jwt.encode({'alg': 'HS256'}, {'aud': 'foo'}, 'k') claims_options = {
