Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:python-authlib User: [email protected] Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] This update attempts to fix all open CVEs for python-authlib and close the gap between Bullseye and Sid/Forky. [ Impact ] If the update isn't approved, users will continue to be vulnerable to CVE-2025-59420, CVE-2025-61920, CVE-2025-62706, and CVE-2025-68158. Bullseye users upgrading to Trixie will become vulnerable again. [ Tests ] The tests enabled already cover all newly introduced test cases. All tests run successfully. [ Risks ] Some of the changes are trivial, but some are more complex. In general, there is the risk of regressions. Running the tests should hopefully prevent that, though. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] CVE-2025-59420.patch establishes an integrity protection for crit headers and rejects 'crit' in unprotected headers. The patch adds some tests for the new behavior. CVE-2025-61920.patch adds some input size limitations and a few tests. CVE-2025-62706.patch adds a size limitation for JWE zip=DEF decompression. CVE-2025-68158.patch makes sure that an expiry marker is stored in the session alongside the cached data, and that the marker is to be present before the state data is considered valid. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmmk/jAACgkQS80FZ8KW 0F3oyw//dzTai7KSG4scXbcCRYzARodFF7pPcGy3Kqd7nKGgdpAEdnwzz/HGsWSU ROdYZCjBRm5nPBNihC8B5See81+80bY5vBcOCu+MCZ4oKo/8GYe3y6Mn9ent52/v hjIqw0fhsRsjj2G/OQLJ/sl6XX/zKrJM2e7jTvaB3WbugEJBJrpESdBqbQSWpg1c hhx7Sguy9zMImW83FyVYTH0hwmeGjyRK5FAPr3IhNcDr71HpqUi7N/scy1LNOSQL j9voavSJMSfwCRT6z54BkFTNaNgQPU8Vp5NTL4vB9eSyhq3KdFwZDb5xgDDZkSg4 A2NBB3XGBWCZrFPpJqzS3RAADFG68mzh/zDupyy7R+KJx0monvmxfvW4debyWIy2 YQJSFJ+R4zg2hecAY6c2HAUWjVWGZJYf6lbw0nK3ZMV1bevdyrCekXB96MtUpEw2 EoR+m7l+k4zp/w00P8vxXZfHbDCpMH7i2F7HnOCDCprC/GWR/eusl29k7EckwfRS ZRgfRkcMDtZAHS+342DPLzZwCRrZ4B4Nd3Ygea6AWCQvOmrlmMpvj/Uv/FDySr5D +qEx9BOSypX7JdZaxeULRaS1h+/IANgkjaqgw3j8Lo0rNRKJ1IMSngWHG7kCoW/9 7uurxM41uJRSjROXMfg/J4ugx9G0tT0aL7NIvIcYvngPfCT8dOE= =XlGD -----END PGP SIGNATURE-----
