-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 02 Mar 2026 03:57:30 +0100 Source: python-authlib Binary: python-authlib-doc python3-authlib Architecture: all Version: 1.6.0-1+deb13u1 Distribution: trixie Urgency: medium Maintainer: all / amd64 / i386 Build Daemon (x86-conova-01) Changed-By: Daniel Leidert Description: python-authlib-doc - Python library for OAuth and OpenID Connect servers (docs) python3-authlib - Python library for OAuth and OpenID Connect servers Changes: python-authlib (1.6.0-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2025-68158.patch: Add patch to fix CVE-2025-68158. - The cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state. * d/patches/CVE-2025-62706.patch: Add patch to fix CVE-2025-62706. - Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression which can lead to a DoS. * d/patches/CVE-2025-61920.patch: Add patch to fix CVE-2025-61920. - Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments which can lead to a DoS during verification. * d/patches/CVE-2025-59420.patch: Add patch to fix CVE-2025-59420. - Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. Checksums-Sha1: cbaaf1ee7588325c27cb19d7741f8954dad314a9 261044 python-authlib-doc_1.6.0-1+deb13u1_all.deb 744dfb43df37026fc8f3db8e206da2ca864b9a1f 9077 python-authlib_1.6.0-1+deb13u1_all-buildd.buildinfo 6e5048d677ba32c2d27fe87165fa1c881d3de755 123744 python3-authlib_1.6.0-1+deb13u1_all.deb Checksums-Sha256: 551cdacbbe14cfced4bc298969634121ef76bfaccc5d7da28617e7720668e39a 261044 python-authlib-doc_1.6.0-1+deb13u1_all.deb 575b8fe23c29e662b409dff0294bfac89f7f08531f80dc1532bbbce478c976a0 9077 python-authlib_1.6.0-1+deb13u1_all-buildd.buildinfo 86a4426d93b35b79e2e9311c7ac599a29265cdcf444fb7302fe6653e22125983 123744 python3-authlib_1.6.0-1+deb13u1_all.deb Files: b52c4e063c3903858121c1a2dc305933 261044 doc optional python-authlib-doc_1.6.0-1+deb13u1_all.deb 3d815a655069a9174bd76a2a04c15f92 9077 python optional python-authlib_1.6.0-1+deb13u1_all-buildd.buildinfo 93dbbddc35b91fb2726b458bdba12499 123744 python optional python3-authlib_1.6.0-1+deb13u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7cQ9mRD4+dWjjrb6PkCWRKsh20cFAmnlK+UACgkQPkCWRKsh 20f34BAAxFUjNyZaw4tlcYI+xQi3+Ydw3MrF+68CJwqRU0jp7jPkVYnbW7BTN2AS kZ+Ybgt40XEQbnjplrXPqzQYCroeYdL7l8nvbZx2c8eObE33dFD0F2B6ZJgwB9ht BtzFCS+m/qWkxa9+XKKluf5wTeBG7cN1TP8EwBXKGHuzTVb0a47s3me/6drCVn1f D/UKRIA/EFlSR/w9XT9Rej04Uv8caIjZSL8jrhlwKHrWMtumxy4emB0tMMQCdkB3 JjSdYPu8cH6CeuV2EdNVMlQiAjYZiasIbGa4vhn4ceTygYmG5uR9ESr81ZGgI9/v cH6tpdYxA6T530BECCRjJQ00cI2NcSdbmBHq+d6aWioLSnd6cdPW2iDFgm7oPKkz K1MeFk9JsWSmu5MkxOYaJp0bqInJKl9AetDpYdiUAZ+1r0auTDULmIn4/Vk1v0WF qHJ0nJRaq+ftUNSEXkqAtTCj7i9bPbBterAj1/jCheCYKX3kHzPmxVhSpW7OCad/ JfcEZCMfy43dBrNNs9oZreuyIOpqlW8ukrddDYgK20f5340rY1TaIGTCY5lWQQFh IitUubAcMwQELgzzX0TaMOQ823qrR7+EoG8CYt5KVVRDArNpeXKQgW1Tjn9GdZ5O jfWhstxXZ41HYyoSy8v1eYNfCKnIv/l86a5h3Liohu2+iwSTqzU= =r1T3 -----END PGP SIGNATURE-----