Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package python-authlib

[ Reason ]
Upstream made a security point release. No CVE.

[ Impact ]
Security vulnerability.

[ Tests ]
Added a unit test to cover the issue.

Package builds and tests pass.

[ Risks ]
Tiny diff, looks good.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-authlib/0.15.4-1
diff -Nru python-authlib-0.15.3/authlib/consts.py 
python-authlib-0.15.4/authlib/consts.py
--- python-authlib-0.15.3/authlib/consts.py     2021-01-15 09:51:55.000000000 
-0400
+++ python-authlib-0.15.4/authlib/consts.py     2021-06-05 03:07:38.000000000 
-0400
@@ -1,5 +1,5 @@
 name = 'Authlib'
-version = '0.15.3'
+version = '0.15.4'
 author = 'Hsiaoming Yang <m...@lepture.com>'
 homepage = 'https://authlib.org/'
 default_user_agent = '{}/{} (+{})'.format(name, version, homepage)
diff -Nru python-authlib-0.15.3/authlib/jose/rfc7519/claims.py 
python-authlib-0.15.4/authlib/jose/rfc7519/claims.py
--- python-authlib-0.15.3/authlib/jose/rfc7519/claims.py        2021-01-15 
09:51:55.000000000 -0400
+++ python-authlib-0.15.4/authlib/jose/rfc7519/claims.py        2021-06-05 
03:07:38.000000000 -0400
@@ -58,10 +58,10 @@
 
     def _validate_claim_value(self, claim_name):
         option = self.options.get(claim_name)
-        value = self.get(claim_name)
-        if not option or not value:
+        if not option:
             return
 
+        value = self.get(claim_name)
         option_value = option.get('value')
         if option_value and value != option_value:
             raise InvalidClaimError(claim_name)
diff -Nru python-authlib-0.15.3/debian/changelog 
python-authlib-0.15.4/debian/changelog
--- python-authlib-0.15.3/debian/changelog      2021-01-20 14:21:23.000000000 
-0400
+++ python-authlib-0.15.4/debian/changelog      2021-07-07 19:32:08.000000000 
-0400
@@ -1,3 +1,9 @@
+python-authlib (0.15.4-1) unstable; urgency=medium
+
+  * New upstream point release, fixing a security issue.
+
+ -- Stefano Rivera <stefa...@debian.org>  Wed, 07 Jul 2021 19:32:08 -0400
+
 python-authlib (0.15.3-1) unstable; urgency=medium
 
   [ Stefano Rivera ]
diff -Nru python-authlib-0.15.3/tests/core/test_jose/test_jwt.py 
python-authlib-0.15.4/tests/core/test_jose/test_jwt.py
--- python-authlib-0.15.3/tests/core/test_jose/test_jwt.py      2021-01-15 
09:51:55.000000000 -0400
+++ python-authlib-0.15.4/tests/core/test_jose/test_jwt.py      2021-06-05 
03:07:38.000000000 -0400
@@ -73,6 +73,20 @@
             claims.validate,
         )
 
+    def test_validate_expected_issuer_received_None(self):
+        id_token = jwt.encode({'alg': 'HS256'}, {'iss': None, 'sub': None}, 
'k')
+        claims_options = {
+            'iss': {
+                'essential': True,
+                'values': ['foo']
+            }
+        }
+        claims = jwt.decode(id_token, 'k', claims_options=claims_options)
+        self.assertRaises(
+            errors.InvalidClaimError,
+            claims.validate
+        )
+
     def test_validate_aud(self):
         id_token = jwt.encode({'alg': 'HS256'}, {'aud': 'foo'}, 'k')
         claims_options = {

Reply via email to