Your message dated Sat, 10 Jul 2021 10:17:01 +0200
with message-id
<cam8zjqtqknouz56cy31dlbcqpqjzdmr9whojlkzgqk3zgvh...@mail.gmail.com>
and subject line Re: Bug#990812: unblock: python-authlib/0.15.4-1
has caused the Debian Bug report #990812,
regarding unblock: python-authlib/0.15.4-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
990812: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990812
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package python-authlib
[ Reason ]
Upstream made a security point release. No CVE.
[ Impact ]
Security vulnerability.
[ Tests ]
Added a unit test to cover the issue.
Package builds and tests pass.
[ Risks ]
Tiny diff, looks good.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock python-authlib/0.15.4-1
diff -Nru python-authlib-0.15.3/authlib/consts.py
python-authlib-0.15.4/authlib/consts.py
--- python-authlib-0.15.3/authlib/consts.py 2021-01-15 09:51:55.000000000
-0400
+++ python-authlib-0.15.4/authlib/consts.py 2021-06-05 03:07:38.000000000
-0400
@@ -1,5 +1,5 @@
name = 'Authlib'
-version = '0.15.3'
+version = '0.15.4'
author = 'Hsiaoming Yang <[email protected]>'
homepage = 'https://authlib.org/'
default_user_agent = '{}/{} (+{})'.format(name, version, homepage)
diff -Nru python-authlib-0.15.3/authlib/jose/rfc7519/claims.py
python-authlib-0.15.4/authlib/jose/rfc7519/claims.py
--- python-authlib-0.15.3/authlib/jose/rfc7519/claims.py 2021-01-15
09:51:55.000000000 -0400
+++ python-authlib-0.15.4/authlib/jose/rfc7519/claims.py 2021-06-05
03:07:38.000000000 -0400
@@ -58,10 +58,10 @@
def _validate_claim_value(self, claim_name):
option = self.options.get(claim_name)
- value = self.get(claim_name)
- if not option or not value:
+ if not option:
return
+ value = self.get(claim_name)
option_value = option.get('value')
if option_value and value != option_value:
raise InvalidClaimError(claim_name)
diff -Nru python-authlib-0.15.3/debian/changelog
python-authlib-0.15.4/debian/changelog
--- python-authlib-0.15.3/debian/changelog 2021-01-20 14:21:23.000000000
-0400
+++ python-authlib-0.15.4/debian/changelog 2021-07-07 19:32:08.000000000
-0400
@@ -1,3 +1,9 @@
+python-authlib (0.15.4-1) unstable; urgency=medium
+
+ * New upstream point release, fixing a security issue.
+
+ -- Stefano Rivera <[email protected]> Wed, 07 Jul 2021 19:32:08 -0400
+
python-authlib (0.15.3-1) unstable; urgency=medium
[ Stefano Rivera ]
diff -Nru python-authlib-0.15.3/tests/core/test_jose/test_jwt.py
python-authlib-0.15.4/tests/core/test_jose/test_jwt.py
--- python-authlib-0.15.3/tests/core/test_jose/test_jwt.py 2021-01-15
09:51:55.000000000 -0400
+++ python-authlib-0.15.4/tests/core/test_jose/test_jwt.py 2021-06-05
03:07:38.000000000 -0400
@@ -73,6 +73,20 @@
claims.validate,
)
+ def test_validate_expected_issuer_received_None(self):
+ id_token = jwt.encode({'alg': 'HS256'}, {'iss': None, 'sub': None},
'k')
+ claims_options = {
+ 'iss': {
+ 'essential': True,
+ 'values': ['foo']
+ }
+ }
+ claims = jwt.decode(id_token, 'k', claims_options=claims_options)
+ self.assertRaises(
+ errors.InvalidClaimError,
+ claims.validate
+ )
+
def test_validate_aud(self):
id_token = jwt.encode({'alg': 'HS256'}, {'aud': 'foo'}, 'k')
claims_options = {
--- End Message ---
--- Begin Message ---
On Thu, 8 Jul 2021 at 04:21, Stefano Rivera <[email protected]> wrote:
> Please unblock package python-authlib
python-authlib didn't need unblocking, but I've aged it so it can get in sooner
--- End Message ---
