Groups | Search | Server Info | Login | Register

Groups > linux.debian.announce.security > #4826

[SECURITY] [DSA 6259-1] pyjwt security update

From Moritz Muehlenhoff <jmm@debian.org>
Newsgroups linux.debian.announce.security
Subject [SECURITY] [DSA 6259-1] pyjwt security update
Date 2026-05-09 13:40 +0200
Message-ID <MSOch-3Q7N-5@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Show all headers | View raw

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6259-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 09, 2026                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pyjwt
CVE ID         : CVE-2026-32597

It was discovered that PyJWT, a Python implementation of JSON web tokens
insufficiently validated the "crit" header parameter, which could result
in incomplete enforcement of authentication settings.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.6.0-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 2.10.1-2+deb13u1.

We recommend that you upgrade your pyjwt packages.

For the detailed security status of pyjwt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pyjwt

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmn/FOYACgkQEMKTtsN8
Tja3pBAAsSibOKFZHJEqwDtI3GTVsBlDVXvKGUkfblf7ybb210vCpNJInLUSHVCQ
FYtvJWUFtPm3117MLWoKGLIqOP1hWwQ8XFk3mVPtx0iORVUNIfAz6hOO0lnn9Ews
8ddgzgywnPu63uYc4kGIOO6ce/BgL80Naj7XrW/zmcQHbC4QU6NpRlHKAkTHAQgf
CMgiokSDswJd9STambZw0tJ4yT2jJ8V76S6rbEDCwG9edPr/CTIQAeQNgcdBB6qs
HL/FQqNb3PsmO6eU5vnZ3W6uhR0m5WoUb8/MiK2k0x4ieoqE/baCwZ/BzyzTZpC2
J+xOPXJ7UbCWGkAtKmhE+vYJ3ZkKHlgKzIijtzqaHlCISsUBCTb9JNZaAI+qFkA0
XpZujp+gevpqtlIyNG7zPe4dL1hZo1ahQ53R21n6DhtdwQSG/60lCk9dZpBN2H+g
Kz8EHsz8Bu7Pzb9waTUQJQ97zrB6XR2u033mpV/AOsdfGHRIWbpYB9MzX5ZSB3+i
gqH6+TbqOuEub9uevdwvKdNCP5rxZZ30xdGGLY5iLMjtd/b8IHkbbGt2qc7fQXIy
bUv19vRGqTTYFyRr7eMx6RWCy+22aBuNEJQz9A8kTrMS6wEISN6AflP7f/aaaNfI
QQOFlU2k0c0txNcziLAKlWqVj867nYbGMHFwjWz/U9Z3jv1J234=
=lubJ
-----END PGP SIGNATURE-----

Back to linux.debian.announce.security | Previous | Next | Find similar

Thread

[SECURITY] [DSA 6259-1] pyjwt security update Moritz Muehlenhoff <jmm@debian.org> - 2026-05-09 13:40 +0200

csiph-web