Your message dated Sun, 10 May 2026 09:32:50 +0000
with message-id <[email protected]>
and subject line Bug#1130662: fixed in pyjwt 2.10.1-2+deb13u1
has caused the Debian Bug report #1130662,
regarding pyjwt: CVE-2026-32597
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130662: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130662
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pyjwt
Version: 2.11.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for pyjwt.
CVE-2026-32597[0]:
| PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0,
| PyJWT does not validate the crit (Critical) Header Parameter defined
| in RFC 7515 §4.1.11. When a JWS token contains a crit array listing
| extensions that PyJWT does not understand, the library accepts the
| token instead of rejecting it. This violates the MUST requirement in
| the RFC. This vulnerability is fixed in 2.12.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32597
https://www.cve.org/CVERecord?id=CVE-2026-32597
[1] https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
[2]
https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pyjwt
Source-Version: 2.10.1-2+deb13u1
Done: Jochen Sprickerhof <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pyjwt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jochen Sprickerhof <[email protected]> (supplier of updated pyjwt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Apr 2026 16:43:00 +0200
Source: pyjwt
Architecture: source
Version: 2.10.1-2+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Jochen Sprickerhof <[email protected]>
Closes: 1130662
Changes:
pyjwt (2.10.1-2+deb13u1) trixie-security; urgency=medium
.
* Team upload
* Fix CVE-2026-32597: PyJWT did not validate the crit (Critical) Header
Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit
array listing extensions that PyJWT does not understand, the library
accepts the token instead of rejecting it. This violates the MUST
requirement in the RFC. (Closes: #1130662)
Checksums-Sha1:
d6d6dfc56e49467c04042c3a8a6e3a2f8add565b 2387 pyjwt_2.10.1-2+deb13u1.dsc
32480aca964381c48a8d34ed501947ce5ebb6379 87172 pyjwt_2.10.1.orig.tar.gz
8c80cbcae96be0928e176b78e8ad9ab8d9f2ddd3 7872
pyjwt_2.10.1-2+deb13u1.debian.tar.xz
ba096eea69ada20975d82ad0bc4eeef0e0dd08e1 7239
pyjwt_2.10.1-2+deb13u1_source.buildinfo
Checksums-Sha256:
ca3dab81ae322a3215de3565b9132544d55697a5a7f049b76e949743743715de 2387
pyjwt_2.10.1-2+deb13u1.dsc
f1f537d12a83da1bb194f19474be5cb48ba772ffa46e21025928964ea504da52 87172
pyjwt_2.10.1.orig.tar.gz
d23fe4cf1f22d5b23bf7460cb0060e03126e9de10d1238e6214a63eafa3c8785 7872
pyjwt_2.10.1-2+deb13u1.debian.tar.xz
3a285033ec0031ae82ecc01a7cc0ac675a243168fcb4fe50968ce61c402f8688 7239
pyjwt_2.10.1-2+deb13u1_source.buildinfo
Files:
ea54285ad0c16de1798c5a6eec860cbb 2387 python optional
pyjwt_2.10.1-2+deb13u1.dsc
ea9e1857990966e3258e598277a03572 87172 python optional pyjwt_2.10.1.orig.tar.gz
746b397b9b8b103642099f808b92ce13 7872 python optional
pyjwt_2.10.1-2+deb13u1.debian.tar.xz
5efc696622f7e2e764193c06f8087576 7239 python optional
pyjwt_2.10.1-2+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEc7KZy9TurdzAF+h6W//cwljmlDMFAmn5eWMACgkQW//cwljm
lDPiGg//fuI62I/2eYFdwE0TfndljSSAXE7B0z63/B/JgBS0h+5OgnWzMUUm2pkR
H3OqWLR4wG7pX6VosQgx3oDfAGCknCl0a7gNtFRuCnwkMUrOvi9l3JzdAxa+UEbt
mvOcqEXJJ7hSYumnnqyBnc8s2oLny+Jlji87PwTQhuKDrPUmly8H1YH8fK3m4hm8
k2Me06wRy5lO7xiSu8JAbwJ6v3o1a995pdNesuPtEm6m8RJYdsUuD2dplS64m0i6
0vGnUQi/ouhJ/1Uj2N5jhrgEX5HhnwJCmKs791aYze1Ku4rDvX2oGsRBUQQnEqHg
iUYQyei2qUyDOcMY09bPi6VmcGXLzgYCOhsYhGDduh8qPyRDV84UT0/s3jesSFQ6
F1sEAt2JRV1K6g2VoUXMO1Qe6VvnpGzsujrmBrKIQlOjaFpnjxJSVDXz7ryjQc5i
fhi9JzA2DmRn/9EsfVTR5kIuH0cG1H8q7LSJqduSFH9fckBBvs0pZV1te9Jok1j4
BedAEfz9Ib9F9ASVFt5Fw+FmxBeLquUf4e+u2sqj1VveDxd7b7A/wdfslV8fiKam
HhG7kqjMWFHTHmZtSEhuGEpFjcu4/HiESdIEWm80+pJAwFHXl7/4bm51hgG7h/5x
rKSmPQLissBJldPKaEv30W9V4yLtzaUZvazL3Yoee3EqVkt48qk=
=RDtI
-----END PGP SIGNATURE-----
pgpvrXG8uF0qt.pgp
Description: PGP signature
--- End Message ---
