Overview

File _patchinfo of Package patchinfo.43208

<patchinfo incident="43208">
  <!--generated with prepare-update from request 403754-->
  <issue tracker="bnc" id="1259736">VUL-0: CVE-2026-28490: python-Authlib: cryptographic padding oracle in JWE RSA1_5 key management algorithm</issue>
  <issue tracker="bnc" id="1259737">VUL-0: CVE-2026-28498: python-Authlib: fail-open in behavior OIDC hash validation allows for bypass mandatory integrity protections</issue>
  <issue tracker="bnc" id="1259738">VUL-0: CVE-2026-27962: python-Authlib: JWS `deserialize_compact()` allows for signature bypass by accepting user-controlled embedded JWK as verification key</issue>
  <issue tracker="cve" id="2026-27962"/>
  <issue tracker="cve" id="2026-28490"/>
  <issue tracker="cve" id="2026-28498"/>
  <category>security</category>
  <rating>critical</rating>
  <packager>nkrapp</packager>
  <summary>Security update for python-Authlib</summary>
  <description>This update for python-Authlib fixes the following issues:

- CVE-2026-27962: JWS `deserialize_compact()` allows for signature bypass by accepting user-controlled embedded JWK as
  verification key (bsc#1259738).
- CVE-2026-28490: cryptographic padding oracle in JWE RSA1_5 key management algorithm (bsc#1259736).
- CVE-2026-28498: fail-open in behavior OIDC hash validation allows for bypass mandatory integrity protections
  (bsc#1259737).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places