-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 Apr 2026 16:47:59 +0200 Source: pyjwt Architecture: source Version: 2.6.0-1+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Debian Python Team Changed-By: Jochen Sprickerhof Closes: 1130662 Changes: pyjwt (2.6.0-1+deb12u1) bookworm-security; urgency=high . * Team upload. * Fix CVE-2026-32597: PyJWT did not validate the crit (Critical) Header Parameter defined in RFC 7515 ยง4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. (Closes: #1130662) Checksums-Sha1: 58c3ef79830bdad7e6bec01d8f63feb6ceb0df73 2261 pyjwt_2.6.0-1+deb12u1.dsc 014819b05552f6ed1696738e80fcdfc3b044ea79 72984 pyjwt_2.6.0.orig.tar.gz 35e32d6c298f8526d329f6cf791e60947f10ca76 6456 pyjwt_2.6.0-1+deb12u1.debian.tar.xz 5d3e6bb62916ac2eec8368c8195e1906843a07e0 7235 pyjwt_2.6.0-1+deb12u1_source.buildinfo Checksums-Sha256: d8b1ce01c1a767b4fdb9d57fe52475d28c7b5f3ca1f6f2e44ab87a2c9b84d4a5 2261 pyjwt_2.6.0-1+deb12u1.dsc 69285c7e31fc44f68a1feb309e948e0df53259d579295e6cfe2b1792329f05fd 72984 pyjwt_2.6.0.orig.tar.gz 9beff2b49c616dffef58afc933c75ce49c467806c194e4c6d5ff8aab445292cd 6456 pyjwt_2.6.0-1+deb12u1.debian.tar.xz 24b24ccb98d19760d1a8bab6d9acaadac676d21860d82b2eedb207362c05f02f 7235 pyjwt_2.6.0-1+deb12u1_source.buildinfo Files: 8770fdf629e71bf5b0c879b9c8f231e1 2261 python optional pyjwt_2.6.0-1+deb12u1.dsc aeed6d3a581ae383b2288a2079fa562d 72984 python optional pyjwt_2.6.0.orig.tar.gz 171ae958e8db8396778e111a2a06f4b7 6456 python optional pyjwt_2.6.0-1+deb12u1.debian.tar.xz 50411e2d94b5e6fff904bc82a00a99b6 7235 python optional pyjwt_2.6.0-1+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEc7KZy9TurdzAF+h6W//cwljmlDMFAmn5edgACgkQW//cwljm lDMF3A//XvWFLaOep2lkjThcRsNXbMRLPIsEl0bZPfDvjX3aCH9NQDabUz4I93jU PFLGrFgE1ydR8lgsWtPLpZKTqStfnLsu0A+WtqZ9FInXEyVTTmyRxRVqohMHwfU2 h22G+3zfVOiZhBNW/axzR6X/AKg4os5lNv40IUw3gL98p2PbvT90mfWJcz/sQpqX 0UrHIHoxgk29vAn/Fssp3U1IOIUT7Z61Kte96gTAKrY/16a/BCgXPVhDPutrTx2N fs6l5NVozv65PcWQ5ggTSOVIF5ERwI3VqwKTMMfDl05QNWS/9AZg8Fgjq0odW1J6 mlb9c+fkxZtm6PrTamLx3zR63pYdbLVYb5qVI8N4TUhCX1NO9HxW07wX7VmiIXxq Fl2Jj7DjhBMzFHhNV73EyZL4octECYLJTvzoH6GcaWBDLMcuGINxbPeiLRQQSXvP oi9X6qGh6Wcnp5xrMWTyg8aXyFq5/NVdbt5fzMGdhr8GPieEGqCg4GkT+eIQZ3ad a7NmapSFWr+NzumUXJ5K9/35iI4DHBTXmbjsQ6F8plPs0KR7kYWPDxNsRPk6IYnd PWFNoWmFjSPsIaynftyUlR0D+AEVNuODUGLV6OWec2oxW5rCptRqnd7InYv0bUX8 nir0zwh3tDaAS9HKC6f8NP4K1i41+sLy04+FSEh0LLhLiqzUfYo= =R6eE -----END PGP SIGNATURE-----