Your message dated Sun, 10 May 2026 09:34:15 +0000
with message-id <[email protected]>
and subject line Bug#1130662: fixed in pyjwt 2.6.0-1+deb12u1
has caused the Debian Bug report #1130662,
regarding pyjwt: CVE-2026-32597
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130662: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130662
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pyjwt
Version: 2.11.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for pyjwt.
CVE-2026-32597[0]:
| PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0,
| PyJWT does not validate the crit (Critical) Header Parameter defined
| in RFC 7515 §4.1.11. When a JWS token contains a crit array listing
| extensions that PyJWT does not understand, the library accepts the
| token instead of rejecting it. This violates the MUST requirement in
| the RFC. This vulnerability is fixed in 2.12.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32597
https://www.cve.org/CVERecord?id=CVE-2026-32597
[1] https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
[2]
https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pyjwt
Source-Version: 2.6.0-1+deb12u1
Done: Jochen Sprickerhof <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pyjwt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jochen Sprickerhof <[email protected]> (supplier of updated pyjwt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Apr 2026 16:47:59 +0200
Source: pyjwt
Architecture: source
Version: 2.6.0-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Python Team <[email protected]>
Changed-By: Jochen Sprickerhof <[email protected]>
Closes: 1130662
Changes:
pyjwt (2.6.0-1+deb12u1) bookworm-security; urgency=high
.
* Team upload.
* Fix CVE-2026-32597: PyJWT did not validate the crit (Critical) Header
Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit
array listing extensions that PyJWT does not understand, the library
accepts the token instead of rejecting it. This violates the MUST
requirement in the RFC. (Closes: #1130662)
Checksums-Sha1:
58c3ef79830bdad7e6bec01d8f63feb6ceb0df73 2261 pyjwt_2.6.0-1+deb12u1.dsc
014819b05552f6ed1696738e80fcdfc3b044ea79 72984 pyjwt_2.6.0.orig.tar.gz
35e32d6c298f8526d329f6cf791e60947f10ca76 6456
pyjwt_2.6.0-1+deb12u1.debian.tar.xz
5d3e6bb62916ac2eec8368c8195e1906843a07e0 7235
pyjwt_2.6.0-1+deb12u1_source.buildinfo
Checksums-Sha256:
d8b1ce01c1a767b4fdb9d57fe52475d28c7b5f3ca1f6f2e44ab87a2c9b84d4a5 2261
pyjwt_2.6.0-1+deb12u1.dsc
69285c7e31fc44f68a1feb309e948e0df53259d579295e6cfe2b1792329f05fd 72984
pyjwt_2.6.0.orig.tar.gz
9beff2b49c616dffef58afc933c75ce49c467806c194e4c6d5ff8aab445292cd 6456
pyjwt_2.6.0-1+deb12u1.debian.tar.xz
24b24ccb98d19760d1a8bab6d9acaadac676d21860d82b2eedb207362c05f02f 7235
pyjwt_2.6.0-1+deb12u1_source.buildinfo
Files:
8770fdf629e71bf5b0c879b9c8f231e1 2261 python optional pyjwt_2.6.0-1+deb12u1.dsc
aeed6d3a581ae383b2288a2079fa562d 72984 python optional pyjwt_2.6.0.orig.tar.gz
171ae958e8db8396778e111a2a06f4b7 6456 python optional
pyjwt_2.6.0-1+deb12u1.debian.tar.xz
50411e2d94b5e6fff904bc82a00a99b6 7235 python optional
pyjwt_2.6.0-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEc7KZy9TurdzAF+h6W//cwljmlDMFAmn5edgACgkQW//cwljm
lDMF3A//XvWFLaOep2lkjThcRsNXbMRLPIsEl0bZPfDvjX3aCH9NQDabUz4I93jU
PFLGrFgE1ydR8lgsWtPLpZKTqStfnLsu0A+WtqZ9FInXEyVTTmyRxRVqohMHwfU2
h22G+3zfVOiZhBNW/axzR6X/AKg4os5lNv40IUw3gL98p2PbvT90mfWJcz/sQpqX
0UrHIHoxgk29vAn/Fssp3U1IOIUT7Z61Kte96gTAKrY/16a/BCgXPVhDPutrTx2N
fs6l5NVozv65PcWQ5ggTSOVIF5ERwI3VqwKTMMfDl05QNWS/9AZg8Fgjq0odW1J6
mlb9c+fkxZtm6PrTamLx3zR63pYdbLVYb5qVI8N4TUhCX1NO9HxW07wX7VmiIXxq
Fl2Jj7DjhBMzFHhNV73EyZL4octECYLJTvzoH6GcaWBDLMcuGINxbPeiLRQQSXvP
oi9X6qGh6Wcnp5xrMWTyg8aXyFq5/NVdbt5fzMGdhr8GPieEGqCg4GkT+eIQZ3ad
a7NmapSFWr+NzumUXJ5K9/35iI4DHBTXmbjsQ6F8plPs0KR7kYWPDxNsRPk6IYnd
PWFNoWmFjSPsIaynftyUlR0D+AEVNuODUGLV6OWec2oxW5rCptRqnd7InYv0bUX8
nir0zwh3tDaAS9HKC6f8NP4K1i41+sLy04+FSEh0LLhLiqzUfYo=
=R6eE
-----END PGP SIGNATURE-----
pgp9EopsfQy44.pgp
Description: PGP signature
--- End Message ---
