Debian Patches
Status for python-jwcrypto/1.5.6-1.1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-Limit-max-plaintext-size-for-JWE-decompression.patch | Limit max plaintext size for JWE decompression This change introduces a maximum plaintext size limit (defaulting to 100MB) during JWE decryption and updates the decompression logic to enforce it safely using zlib.decompressobj. The decrypt method now accepts a max_plaintext parameter to allow overriding the default limit. This mitigates memory exhaustion and decompression bomb attacks when processing highly compressed malicious JWE payloads. Fixes CVE-2026-39373 |
Simo Sorce <simo@redhat.com> | no | 2026-04-06 |
All known versions for source package 'python-jwcrypto'
- 1.5.6-1.1 (sid)
- 1.5.6-1 (trixie, forky)
- 1.1.0-1+deb12u1 (bookworm)