Bug#990812: marked as done (unblock: python-authlib/0.15.4-1)

To: Graham Inggs <ginggs@debian.org>
Subject: Bug#990812: marked as done (unblock: python-authlib/0.15.4-1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 10 Jul 2021 08:21:03 +0000
Message-id: <[🔎] handler.990812.D990812.162590503625866.ackdone@bugs.debian.org>
Reply-to: 990812@bugs.debian.org
References: <CAM8zJQtQkNoUZ56Cy31DLBcqpQJZDMR9wHoJLKZGQK3zgvHH2A@mail.gmail.com> <[🔎] 20210708021922.na6og5nu5hb2u5pf@haydn.kardiogramm.net>

Your message dated Sat, 10 Jul 2021 10:17:01 +0200
with message-id <CAM8zJQtQkNoUZ56Cy31DLBcqpQJZDMR9wHoJLKZGQK3zgvHH2A@mail.gmail.com>
and subject line Re: Bug#990812: unblock: python-authlib/0.15.4-1
has caused the Debian Bug report #990812,
regarding unblock: python-authlib/0.15.4-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990812: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990812
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: python-authlib/0.15.4-1
From: Stefano Rivera <stefanor@debian.org>
Date: Wed, 7 Jul 2021 22:19:22 -0400
Message-id: <[🔎] 20210708021922.na6og5nu5hb2u5pf@haydn.kardiogramm.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package python-authlib

[ Reason ]
Upstream made a security point release. No CVE.

[ Impact ]
Security vulnerability.

[ Tests ]
Added a unit test to cover the issue.

Package builds and tests pass.

[ Risks ]
Tiny diff, looks good.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock python-authlib/0.15.4-1

diff -Nru python-authlib-0.15.3/authlib/consts.py python-authlib-0.15.4/authlib/consts.py
--- python-authlib-0.15.3/authlib/consts.py	2021-01-15 09:51:55.000000000 -0400
+++ python-authlib-0.15.4/authlib/consts.py	2021-06-05 03:07:38.000000000 -0400
@@ -1,5 +1,5 @@
 name = 'Authlib'
-version = '0.15.3'
+version = '0.15.4'
 author = 'Hsiaoming Yang <me@lepture.com>'
 homepage = 'https://authlib.org/'
 default_user_agent = '{}/{} (+{})'.format(name, version, homepage)
diff -Nru python-authlib-0.15.3/authlib/jose/rfc7519/claims.py python-authlib-0.15.4/authlib/jose/rfc7519/claims.py
--- python-authlib-0.15.3/authlib/jose/rfc7519/claims.py	2021-01-15 09:51:55.000000000 -0400
+++ python-authlib-0.15.4/authlib/jose/rfc7519/claims.py	2021-06-05 03:07:38.000000000 -0400
@@ -58,10 +58,10 @@
 
     def _validate_claim_value(self, claim_name):
         option = self.options.get(claim_name)
-        value = self.get(claim_name)
-        if not option or not value:
+        if not option:
             return
 
+        value = self.get(claim_name)
         option_value = option.get('value')
         if option_value and value != option_value:
             raise InvalidClaimError(claim_name)
diff -Nru python-authlib-0.15.3/debian/changelog python-authlib-0.15.4/debian/changelog
--- python-authlib-0.15.3/debian/changelog	2021-01-20 14:21:23.000000000 -0400
+++ python-authlib-0.15.4/debian/changelog	2021-07-07 19:32:08.000000000 -0400
@@ -1,3 +1,9 @@
+python-authlib (0.15.4-1) unstable; urgency=medium
+
+  * New upstream point release, fixing a security issue.
+
+ -- Stefano Rivera <stefanor@debian.org>  Wed, 07 Jul 2021 19:32:08 -0400
+
 python-authlib (0.15.3-1) unstable; urgency=medium
 
   [ Stefano Rivera ]
diff -Nru python-authlib-0.15.3/tests/core/test_jose/test_jwt.py python-authlib-0.15.4/tests/core/test_jose/test_jwt.py
--- python-authlib-0.15.3/tests/core/test_jose/test_jwt.py	2021-01-15 09:51:55.000000000 -0400
+++ python-authlib-0.15.4/tests/core/test_jose/test_jwt.py	2021-06-05 03:07:38.000000000 -0400
@@ -73,6 +73,20 @@
             claims.validate,
         )
 
+    def test_validate_expected_issuer_received_None(self):
+        id_token = jwt.encode({'alg': 'HS256'}, {'iss': None, 'sub': None}, 'k')
+        claims_options = {
+            'iss': {
+                'essential': True,
+                'values': ['foo']
+            }
+        }
+        claims = jwt.decode(id_token, 'k', claims_options=claims_options)
+        self.assertRaises(
+            errors.InvalidClaimError,
+            claims.validate
+        )
+
     def test_validate_aud(self):
         id_token = jwt.encode({'alg': 'HS256'}, {'aud': 'foo'}, 'k')
         claims_options = {

--- End Message ---

--- Begin Message ---

To: Stefano Rivera <stefanor@debian.org>, 990812-done@bugs.debian.org

Subject: Re: Bug#990812: unblock: python-authlib/0.15.4-1

From: Graham Inggs <ginggs@debian.org>

Date: Sat, 10 Jul 2021 10:17:01 +0200

Message-id: <CAM8zJQtQkNoUZ56Cy31DLBcqpQJZDMR9wHoJLKZGQK3zgvHH2A@mail.gmail.com>

In-reply-to: <[🔎] 20210708021922.na6og5nu5hb2u5pf@haydn.kardiogramm.net>

References: <[🔎] 20210708021922.na6og5nu5hb2u5pf@haydn.kardiogramm.net>
On Thu, 8 Jul 2021 at 04:21, Stefano Rivera <stefanor@debian.org> wrote:
> Please unblock package python-authlib

python-authlib didn't need unblocking, but I've aged it so it can get in sooner
--- End Message ---

Reply to:

References:
- Bug#990812: unblock: python-authlib/0.15.4-1
  - From: Stefano Rivera <stefanor@debian.org>

Prev by Date: Bug#990866: marked as done (unblock: postgresql-13/13.3-1)
Next by Date: Bug#990875: unblock: kvirc/4:5.0.0+dfsg-5
Previous by thread: Bug#990812: unblock: python-authlib/0.15.4-1
Next by thread: Bug#989540: unblock: git/1:2.32.0-1
Index(es):
- Date
- Thread