[SECURITY] [DSA 6259-1] pyjwt security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6259-1] pyjwt security update
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 9 May 2026 11:35:27 +0000
Message-id: <[🔎] af8b_wGNhvDr0tDD@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6259-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 09, 2026                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pyjwt
CVE ID         : CVE-2026-32597

It was discovered that PyJWT, a Python implementation of JSON web tokens
insufficiently validated the "crit" header parameter, which could result
in incomplete enforcement of authentication settings.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.6.0-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 2.10.1-2+deb13u1.

We recommend that you upgrade your pyjwt packages.

For the detailed security status of pyjwt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pyjwt

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmn/FOYACgkQEMKTtsN8
Tja3pBAAsSibOKFZHJEqwDtI3GTVsBlDVXvKGUkfblf7ybb210vCpNJInLUSHVCQ
FYtvJWUFtPm3117MLWoKGLIqOP1hWwQ8XFk3mVPtx0iORVUNIfAz6hOO0lnn9Ews
8ddgzgywnPu63uYc4kGIOO6ce/BgL80Naj7XrW/zmcQHbC4QU6NpRlHKAkTHAQgf
CMgiokSDswJd9STambZw0tJ4yT2jJ8V76S6rbEDCwG9edPr/CTIQAeQNgcdBB6qs
HL/FQqNb3PsmO6eU5vnZ3W6uhR0m5WoUb8/MiK2k0x4ieoqE/baCwZ/BzyzTZpC2
J+xOPXJ7UbCWGkAtKmhE+vYJ3ZkKHlgKzIijtzqaHlCISsUBCTb9JNZaAI+qFkA0
XpZujp+gevpqtlIyNG7zPe4dL1hZo1ahQ53R21n6DhtdwQSG/60lCk9dZpBN2H+g
Kz8EHsz8Bu7Pzb9waTUQJQ97zrB6XR2u033mpV/AOsdfGHRIWbpYB9MzX5ZSB3+i
gqH6+TbqOuEub9uevdwvKdNCP5rxZZ30xdGGLY5iLMjtd/b8IHkbbGt2qc7fQXIy
bUv19vRGqTTYFyRr7eMx6RWCy+22aBuNEJQz9A8kTrMS6wEISN6AflP7f/aaaNfI
QQOFlU2k0c0txNcziLAKlWqVj867nYbGMHFwjWz/U9Z3jv1J234=
=lubJ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6258-1] linux security update
Next by Date: [SECURITY] [DSA 6260-1] tor security update
Previous by thread: [SECURITY] [DSA 6258-1] linux security update
Next by thread: [SECURITY] [DSA 6260-1] tor security update
Index(es):
- Date
- Thread