Debian alert DLA-4352-1 (python-authlib)
| From: | Daniel Leidert <dleidert@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4352-1] python-authlib security update | |
| Date: | Wed, 29 Oct 2025 04:26:49 +0100 | |
| Message-ID: | <b31ea4074e5e4cbdb67b60e47bb74c3df3f6e783.camel@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4352-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Daniel Leidert October 29, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : python-authlib Version : 0.15.4-1+deb11u1 CVE ID : CVE-2024-37568 CVE-2025-59420 CVE-2025-61920 CVE-2025-62706 Multiple vulnerabilities have been found in python-authlib, a Python library for OAuth and OpenID Connect servers. CVE-2024-37568 Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. CVE-2025-59420 Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. CVE-2025-61920 Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments which can lead to a DoS during verification. CVE-2025-62706 Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression which can lead to a DoS. For Debian 11 bullseye, these problems have been fixed in version 0.15.4-1+deb11u1. We recommend that you upgrade your python-authlib packages. For the detailed security status of python-authlib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-authlib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmkBiXkACgkQS80FZ8KW 0F28JRAAs6gpNzhmqzgqARRKUtUCaBw8c5cRov3pm9lr8xbx2SrLAVkwyea47LJS MkT3uXllnObDZ8Wt8++Kr5Du8yYGQLt/KZxXTcYCWSSvGjaoi4zpFPM0ZbZ9vZF9 f0bTiE54KQECVTc8W/RfPuPuoeg+yjQI7VayPf+bn2alp198Agiduiw/KrsJtOTM Fxp27aMwTWFzPj4ZqEHoXHJFh0qc5xJIu5aE/abVjW248K/5uu9gc4kAEJO1zTIO mN/yFTjOXdmEUfZmRUXYxNtZ3hQ2AhG8q+uU5mr2xdIwzYPcgOq7BYABbsU4Wkrw c+7waGHb9Jn7RfJNITmAq7gMn1pdWAgr1PQdVTRId4wQjwDLtephEZrrPj0xwY6Y ZamgIv+U6VzS1E3d+bjjfVYueZh89aQe8szdovWq17fYNeU1WFjQa0g2IR5Jlcrj NfN/UF1keApIMtgaB4CLMO43eDUwuDheQUfITmbv70qBRbpcIE8yEInml8U+MPQ/ 6wAprikFm9wcxwaZa8lfzhicIcvg4OD/uTUoVpXckU9S9fkJClKd0NNvzEVMkuc8 +ltF2TV3ct79N7HPx6D8WyBTioB45FBi9C4W0eH+o+yKifb88CQXSTmuv1ZfVbs6 HVAn1W5rTQs1MHEN6VT/RtVhfZpnBowVNF+GYFnzwiZYRW/xp5k= =61aP -----END PGP SIGNATURE-----