Your message dated Thu, 25 Jun 2026 09:18:50 +0000
with message-id <[email protected]>
and subject line Bug#1133006: fixed in python-jwcrypto 1.5.6-1.1
has caused the Debian Bug report #1133006,
regarding python-jwcrypto: CVE-2026-39373
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1133006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133006
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-jwcrypto
Version: 1.5.6-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for python-jwcrypto.

CVE-2026-39373[0]:
| JWCrypto implements JWK, JWS, and JWE specifications using python-
| cryptography. Prior to 1.5.7, an unauthenticated attacker can
| exhaust server memory by sending crafted JWE tokens with ZIP
| compression. The existing patch for CVE-2024-28102  limits input
| token size to 250KB but does not validate the decompressed output
| size. An unauthenticated attacker can cause memory exhaustion on
| memory-constrained systems. A token under the 250KB input limit can
| decompress to approximately 100MB. This vulnerability is fixed in
| 1.5.7.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-39373
    https://www.cve.org/CVERecord?id=CVE-2026-39373
[1] https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
[2] 
https://github.com/latchset/jwcrypto/commit/25db861d8b29434838669a94a843af03d29ea6ed

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: python-jwcrypto
Source-Version: 1.5.6-1.1
Done: Adrian Bunk <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-jwcrypto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated python-jwcrypto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 23 Jun 2026 17:17:46 +0300
Source: python-jwcrypto
Architecture: source
Version: 1.5.6-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1133006
Changes:
 python-jwcrypto (1.5.6-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2026-39373: JWT bomb Attack in deserialize (Closes: #1133006)
Checksums-Sha1:
 f76f631cbc0704db793c13a765ff1285c47b5df5 2126 python-jwcrypto_1.5.6-1.1.dsc
 bc2a60b3a2685a2edabf608e85067703cff0cee8 4628 
python-jwcrypto_1.5.6-1.1.debian.tar.xz
Checksums-Sha256:
 7b15656b20961c7c61fecc8cf70e8e777b7ea5a5c3aa3dc274f7074fbc089db6 2126 
python-jwcrypto_1.5.6-1.1.dsc
 132c218914d1e44cd316887dc39820a1c4178b8903cc226a4e0967f765c5b1e1 4628 
python-jwcrypto_1.5.6-1.1.debian.tar.xz
Files:
 2203011c61a334108e8f3f7721fe2aef 2126 python optional 
python-jwcrypto_1.5.6-1.1.dsc
 83e6a54ce23ae6bd150bda2deba033fb 4628 python optional 
python-jwcrypto_1.5.6-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo6mi8ACgkQiNJCh6LY
mLGGVg//elZ9uML3HAIrgUiJmAis8YAci7IlPi+JQWa/I2CeEk2EtZj0YMO2V1ji
URCoRF0mqyqCxmm3GmyAgB0Y27fmacuL1YF4I4r1chs614HaPhRAG9cT59xRgGVE
FB/wcagsGNliucKM1B/KH4El3Gaq4RK8lcre4SjZrvaqL4wRX+1PWjHqORc4KaHs
BWQ4F8oj4qKlzzWWDfeRx74wcSVYL1ei2hw7bZIX8ih4etF4B3NPteRQB9wPMrY3
d0MBXF2AMmrZSkP0i7kdieZt9uh7+pARMCaCKqS35sPizTklAs0fo1464iekqloq
JDmUqgsm0JFJx+G+1Efy7KCuqeL9lkfOUKVma7jNiSP7jAQ40/vIMB5F1vGaWC+g
k62HB1jsmRoYjsyLBWF1Vemf8at22j4PXQDjuFwpyqacdGW+NpEXmTAMc3X74LPX
ZxBD3+3/zwbXnKpoBK7sf1m9zYUKou47H6jEm5gAtNxrwKBkhEGw6cWktwU7w/Sr
SKrJrBqSfSLZYTR6e4Nv/HCeSLJaf0vkIwZfJPXVyvpeqkCyUc7lIQsw9oAfs9oZ
Pg1qUKyfjFsaoRJPsJRizcm+blv6AHgUPF5r+Y+jownIINml5J42cJ2uOlx3S+82
CZEXMDYcfCgupLr9se93dMm7g/qbJqsBC1xKulpM5VM15XZyVzY=
=gYW1
-----END PGP SIGNATURE-----

Attachment: pgpmakreoV5Jp.pgp
Description: PGP signature


--- End Message ---

Reply via email to