Your message dated Tue, 30 Jun 2026 18:17:10 +0000
with message-id <[email protected]>
and subject line Bug#1133006: fixed in python-jwcrypto 1.5.6-1.1~deb13u1
has caused the Debian Bug report #1133006,
regarding python-jwcrypto: CVE-2026-39373
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1133006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133006
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-jwcrypto
Version: 1.5.6-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for python-jwcrypto.

CVE-2026-39373[0]:
| JWCrypto implements JWK, JWS, and JWE specifications using python-
| cryptography. Prior to 1.5.7, an unauthenticated attacker can
| exhaust server memory by sending crafted JWE tokens with ZIP
| compression. The existing patch for CVE-2024-28102  limits input
| token size to 250KB but does not validate the decompressed output
| size. An unauthenticated attacker can cause memory exhaustion on
| memory-constrained systems. A token under the 250KB input limit can
| decompress to approximately 100MB. This vulnerability is fixed in
| 1.5.7.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-39373
    https://www.cve.org/CVERecord?id=CVE-2026-39373
[1] https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
[2] 
https://github.com/latchset/jwcrypto/commit/25db861d8b29434838669a94a843af03d29ea6ed

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: python-jwcrypto
Source-Version: 1.5.6-1.1~deb13u1
Done: Adrian Bunk <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-jwcrypto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated python-jwcrypto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jun 2026 21:49:49 +0300
Source: python-jwcrypto
Architecture: source
Version: 1.5.6-1.1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian FreeIPA Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1133006
Changes:
 python-jwcrypto (1.5.6-1.1~deb13u1) trixie; urgency=medium
 .
   * Non-maintainer upload.
   * Rebuild for trixie.
 .
 python-jwcrypto (1.5.6-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2026-39373: JWT bomb Attack in deserialize (Closes: #1133006)
Checksums-Sha1:
 eae0a8d7c23254a9ea68933c2129ea9572a949bb 2158 
python-jwcrypto_1.5.6-1.1~deb13u1.dsc
 9cddb10e70995a4dd4d6285ece1ccd1956fe5767 97053 
python-jwcrypto_1.5.6.orig.tar.gz
 98332c968837f3e118d9b67b1a0ecd8a70fa6aca 4668 
python-jwcrypto_1.5.6-1.1~deb13u1.debian.tar.xz
Checksums-Sha256:
 fe3855280407f63ebcf115c3714620146e1e08242dc0801230e9a48254f9972e 2158 
python-jwcrypto_1.5.6-1.1~deb13u1.dsc
 14f0673131e3612cdef22c81b84db4c32a9ee4d94c0053579c92e3af613ab51f 97053 
python-jwcrypto_1.5.6.orig.tar.gz
 3a1b14d9b88cadb3ac612b7e28a31cad69546a480b92ce87b9a69ae31f5623a0 4668 
python-jwcrypto_1.5.6-1.1~deb13u1.debian.tar.xz
Files:
 72a3e75797c82df377b1790f93ab7a45 2158 python optional 
python-jwcrypto_1.5.6-1.1~deb13u1.dsc
 0294fcb15774bec9201c03203c9f7feb 97053 python optional 
python-jwcrypto_1.5.6.orig.tar.gz
 3ba3a5f4ced02b3c4019aec24e33e121 4668 python optional 
python-jwcrypto_1.5.6-1.1~deb13u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmpAHcAACgkQiNJCh6LY
mLE55hAAhdX9dM2Yd5ffYfds9qt3U6WlKF+DrMbF3eW5qUxY4om+A9hn695pklYi
XPaa7muEYvaRVebhBUP2KKnK5/DTpt2TGcH8+l9jrRhLy/sxrFHtFdMwkmf6CtE9
bErVfCNf941k3J4zqX7DO9VXIC4n6PkggC7hhci7zf2+EmxyiDcRHAimSucc1XRA
Cl8tL8IMvs/tIuMaMIZcrywMWiLfC8+Ubqv0QHR/VJFME6l0L+57lNGq1+m/7cxo
kINEo67aZ/K690SWWT85K3/L+AVD30vQYmuX5ELgpReplK9bJl6Cou6G4yAg4KV/
JxUHs3KKDeaCKTQImhFjUh8oPCTguriQH3vi+QPzhZ1oNC5OAT5vpK3vttW7+LSz
igy1F7S6WCylpxMXUlpjby/5ObseAfYiOc/k7DaohfATwY9UV377k8EYwz6HEltC
Y9Eq7slgezNNEd8v8q315Mp674mKySTsTcmytpGCieZwn3DIqPzyhjoPwc/C7AaD
oZRmKG3855KIH/ORXscfDxDdDoWi8elCMRA5USE3YXa6PmFzWJZgsfs68f+U54GG
JNXzcliwK2CbeOgVi62on8BjWhPcOQl3mZ7IaW9hgehKBAjHKlHEWstT4PMmBQ/L
T0zMtMnKFlvSAWLj+3wIsuve8zyVoVzPrhqmGxx5Hp7jn5+jZPw=
=MZGw
-----END PGP SIGNATURE-----

Attachment: pgpzZ7wkoWdbw.pgp
Description: PGP signature


--- End Message ---

Reply via email to