Source: django-allauth Version: 65.0.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for django-allauth. CVE-2025-65430[0]: | An issue was discovered in allauth-django before 65.13.0. IdP: | marking a user as is_active=False after having handed tokens for | that user while the account was still active had no effect. Fixed | the access/refresh tokens are now rejected. CVE-2025-65431[1]: | An issue was discovered in allauth-django before 65.13.0. Both Okta | and NetIQ were using preferred_username as the identifier for third- | party provider accounts. That value may be mutable and should | therefore be avoided for authorization decisions. The providers are | now using sub instead. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-65430 https://www.cve.org/CVERecord?id=CVE-2025-65430 [1] https://security-tracker.debian.org/tracker/CVE-2025-65431 https://www.cve.org/CVERecord?id=CVE-2025-65431 [2] https://allauth.org/news/2025/10/django-allauth-65.13.0-released/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
