--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package python-authlib
[ Reason ]
Upstream made a security point release. No CVE.
[ Impact ]
Security vulnerability.
[ Tests ]
Added a unit test to cover the issue.
Package builds and tests pass.
[ Risks ]
Tiny diff, looks good.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock python-authlib/0.15.4-1
diff -Nru python-authlib-0.15.3/authlib/consts.py python-authlib-0.15.4/authlib/consts.py
--- python-authlib-0.15.3/authlib/consts.py 2021-01-15 09:51:55.000000000 -0400
+++ python-authlib-0.15.4/authlib/consts.py 2021-06-05 03:07:38.000000000 -0400
@@ -1,5 +1,5 @@
name = 'Authlib'
-version = '0.15.3'
+version = '0.15.4'
author = 'Hsiaoming Yang <me@lepture.com>'
homepage = 'https://authlib.org/'
default_user_agent = '{}/{} (+{})'.format(name, version, homepage)
diff -Nru python-authlib-0.15.3/authlib/jose/rfc7519/claims.py python-authlib-0.15.4/authlib/jose/rfc7519/claims.py
--- python-authlib-0.15.3/authlib/jose/rfc7519/claims.py 2021-01-15 09:51:55.000000000 -0400
+++ python-authlib-0.15.4/authlib/jose/rfc7519/claims.py 2021-06-05 03:07:38.000000000 -0400
@@ -58,10 +58,10 @@
def _validate_claim_value(self, claim_name):
option = self.options.get(claim_name)
- value = self.get(claim_name)
- if not option or not value:
+ if not option:
return
+ value = self.get(claim_name)
option_value = option.get('value')
if option_value and value != option_value:
raise InvalidClaimError(claim_name)
diff -Nru python-authlib-0.15.3/debian/changelog python-authlib-0.15.4/debian/changelog
--- python-authlib-0.15.3/debian/changelog 2021-01-20 14:21:23.000000000 -0400
+++ python-authlib-0.15.4/debian/changelog 2021-07-07 19:32:08.000000000 -0400
@@ -1,3 +1,9 @@
+python-authlib (0.15.4-1) unstable; urgency=medium
+
+ * New upstream point release, fixing a security issue.
+
+ -- Stefano Rivera <stefanor@debian.org> Wed, 07 Jul 2021 19:32:08 -0400
+
python-authlib (0.15.3-1) unstable; urgency=medium
[ Stefano Rivera ]
diff -Nru python-authlib-0.15.3/tests/core/test_jose/test_jwt.py python-authlib-0.15.4/tests/core/test_jose/test_jwt.py
--- python-authlib-0.15.3/tests/core/test_jose/test_jwt.py 2021-01-15 09:51:55.000000000 -0400
+++ python-authlib-0.15.4/tests/core/test_jose/test_jwt.py 2021-06-05 03:07:38.000000000 -0400
@@ -73,6 +73,20 @@
claims.validate,
)
+ def test_validate_expected_issuer_received_None(self):
+ id_token = jwt.encode({'alg': 'HS256'}, {'iss': None, 'sub': None}, 'k')
+ claims_options = {
+ 'iss': {
+ 'essential': True,
+ 'values': ['foo']
+ }
+ }
+ claims = jwt.decode(id_token, 'k', claims_options=claims_options)
+ self.assertRaises(
+ errors.InvalidClaimError,
+ claims.validate
+ )
+
def test_validate_aud(self):
id_token = jwt.encode({'alg': 'HS256'}, {'aud': 'foo'}, 'k')
claims_options = {
--- End Message ---