Your message dated Sun, 29 Mar 2026 13:49:38 +0000
with message-id <[email protected]>
and subject line Bug#1132165: fixed in libjwt3 3.3.2-1
has caused the Debian Bug report #1132165,
regarding libjwt3: CVE-2026-33996
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132165: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132165
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libjwt3
Version: 3.2.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libjwt3.
CVE-2026-33996[0]:
| LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and
| prior to version 3.3.0, the JWK parsing for RSA-PSS did not protect
| against a NULL value when expecting to parse JSON string values. A
| specially crafted JWK file could exploit this behavior by using
| integers in places where the code expected a string. This was fixed
| in v3.3.0. A workaround is available. Users importing keys through a
| JWK file should not do so from untrusted sources. Use the `jwk2key`
| tool to check for validity of a JWK file. Likewise, if possible, do
| not use JWK files with RSA-PSS keys.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33996
https://www.cve.org/CVERecord?id=CVE-2026-33996
[1]
https://github.com/benmcollins/libjwt/security/advisories/GHSA-ph96-hqpc-9f66
[2]
https://github.com/benmcollins/libjwt/commit/cfd890286fa49ae61b534c937c9f0428b5c6034c
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libjwt3
Source-Version: 3.3.2-1
Done: Benjamin Collins <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libjwt3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Collins <[email protected]> (supplier of updated libjwt3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Mar 2026 01:25:44 +0000
Source: libjwt3
Architecture: source
Version: 3.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Benjamin Collins <[email protected]>
Changed-By: Benjamin Collins <[email protected]>
Closes: 1132165
Changes:
libjwt3 (3.3.2-1) unstable; urgency=medium
.
* New upstream release
* Sync debian/copyright with code
* Closes: #1132165 for CVE-2026-33996
Checksums-Sha1:
8e70bc9ebcf966546a564f99780e23562949e12e 2253 libjwt3_3.3.2-1.dsc
2539c8723748bc9ca7f08ecd6f975439bd7c6149 601948 libjwt3_3.3.2.orig.tar.gz
6ee5b4c5a7ef079df52dcadd7eb0e4e03008a945 5376 libjwt3_3.3.2-1.debian.tar.xz
5915ace9500b9b20e59256efa1197c67f0da0433 11339 libjwt3_3.3.2-1_amd64.buildinfo
Checksums-Sha256:
d3a4a347d34e4149e786bb0239e280218bb9f99a5a0830e7cdb9e0df880f2f2d 2253
libjwt3_3.3.2-1.dsc
d1b16df8e7484d1856c21f770c6317cee3881c435a563160be76cf29d3142c8c 601948
libjwt3_3.3.2.orig.tar.gz
5cd7dd27c43cc09b26b56a0e3c14784ce289b66721cca9581a5525fa274247ad 5376
libjwt3_3.3.2-1.debian.tar.xz
d6c4f4fb9ac34661240e220d8d2982c6497c6a7aab7f26bebace98e90d76a8e2 11339
libjwt3_3.3.2-1_amd64.buildinfo
Files:
1b8dd6246caba3adac42201c71d0fc0a 2253 devel optional libjwt3_3.3.2-1.dsc
39096d13b0ecb77a752bbc3e54056072 601948 devel optional
libjwt3_3.3.2.orig.tar.gz
02635144528ce600c63eab0fdf7fe1c3 5376 devel optional
libjwt3_3.3.2-1.debian.tar.xz
245b2fd3ea39d24faf74a579e05cb96e 11339 devel optional
libjwt3_3.3.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEhAWwL8wo75dEyPJT/oITlEC9IrkFAmnJJvsACgkQ/oITlEC9
Irlt2A//Wjvb323I3pfM+EVeCzklBQuW6akXX8oyn4qLK5Zfjc9I4bvZbEqbGWf+
OZQ+gveJiq4IPep8Z6Brr24KPuwHh1BI8BjI/B6jWBX0YyqV6fIQwhsqutWbEEsL
iKZyyhcTY5kUg757yIORIDYWlnxtXc89P+0+6/Yer7RbYh+nefUyt7UI439G1R2n
Ji1Z85bckhXM9b2D/4vrqgP13A/ktar3fX3nDQFvewf80UylXJjF7YzW0DtHt9tA
5Fpd7+yz15mwyBhzzbolh69oeU0muaAG1Ejzi1FXW2r31ShIXyQJwj6gTnPUnwwh
fyPcmMibLghjqcbXnDcfGiLo90B/bxfeAqa42dlwx+pMRatLP8qBGTSluZb5aaqi
gXg1+K9OOroaKHQfF/TbITt3Tejb1zlJe3iT0XLSD1YOqnt3m5vbh+WtFPbqXx7V
wOqUy+Wp8xPJ3ZGUFYw2jJknh2k55ybidEVfmJYGUqNXYc/g1DqM3vSBXd6aNmJV
k5H+KE2gyXS94wTeJYFN10QPOcVehRR4H95VPNc6LCnHjNcSdNwaCA369/OXcTwC
Y9nbXRNCkbvQT0oE3IKOd2aOISmtllR5cw7/KfGjL3uHTQwPt4VTOJR1WjP6BWwq
jZtCj/4pqbmyk6QDSkZUyQRSxSWb0rEz/jhyq3zM6Nr1Og79oto=
=TxGE
-----END PGP SIGNATURE-----
pgpW6BHPrDpEb.pgp
Description: PGP signature
--- End Message ---
