Hi,

The following vulnerability was published for python-jwcrypto.

CVE-2026-39373[0]:
| JWCrypto implements JWK, JWS, and JWE specifications using python-
| cryptography. Prior to 1.5.7, an unauthenticated attacker can
| exhaust server memory by sending crafted JWE tokens with ZIP
| compression. The existing patch for CVE-2024-28102  limits input
| token size to 250KB but does not validate the decompressed output
| size. An unauthenticated attacker can cause memory exhaustion on
| memory-constrained systems. A token under the 250KB input limit can
| decompress to approximately 100MB. This vulnerability is fixed in
| 1.5.7.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-39373
https://www.cve.org/CVERecord?id=CVE-2026-39373
[1] https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
[2] https://github.com/latchset/jwcrypto/commit/25db861d8b29434838669a94a843af03d29ea6ed

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Dear maintainer,

I've prepared an NMU for python-jwcrypto (versioned as 1.5.6-1.1)
and uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it.

cu
Adrian

We believe that the bug you reported is fixed in the latest version of
python-jwcrypto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1133006@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated python-jwcrypto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 23 Jun 2026 17:17:46 +0300
Source: python-jwcrypto
Architecture: source
Version: 1.5.6-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1133006
Changes:
 python-jwcrypto (1.5.6-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2026-39373: JWT bomb Attack in deserialize (Closes: #1133006)
Checksums-Sha1:
 f76f631cbc0704db793c13a765ff1285c47b5df5 2126 python-jwcrypto_1.5.6-1.1.dsc
 bc2a60b3a2685a2edabf608e85067703cff0cee8 4628 python-jwcrypto_1.5.6-1.1.debian.tar.xz
Checksums-Sha256:
 7b15656b20961c7c61fecc8cf70e8e777b7ea5a5c3aa3dc274f7074fbc089db6 2126 python-jwcrypto_1.5.6-1.1.dsc
 132c218914d1e44cd316887dc39820a1c4178b8903cc226a4e0967f765c5b1e1 4628 python-jwcrypto_1.5.6-1.1.debian.tar.xz
Files:
 2203011c61a334108e8f3f7721fe2aef 2126 python optional python-jwcrypto_1.5.6-1.1.dsc
 83e6a54ce23ae6bd150bda2deba033fb 4628 python optional python-jwcrypto_1.5.6-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmo6mi8ACgkQiNJCh6LY
mLGGVg//elZ9uML3HAIrgUiJmAis8YAci7IlPi+JQWa/I2CeEk2EtZj0YMO2V1ji
URCoRF0mqyqCxmm3GmyAgB0Y27fmacuL1YF4I4r1chs614HaPhRAG9cT59xRgGVE
FB/wcagsGNliucKM1B/KH4El3Gaq4RK8lcre4SjZrvaqL4wRX+1PWjHqORc4KaHs
BWQ4F8oj4qKlzzWWDfeRx74wcSVYL1ei2hw7bZIX8ih4etF4B3NPteRQB9wPMrY3
d0MBXF2AMmrZSkP0i7kdieZt9uh7+pARMCaCKqS35sPizTklAs0fo1464iekqloq
JDmUqgsm0JFJx+G+1Efy7KCuqeL9lkfOUKVma7jNiSP7jAQ40/vIMB5F1vGaWC+g
k62HB1jsmRoYjsyLBWF1Vemf8at22j4PXQDjuFwpyqacdGW+NpEXmTAMc3X74LPX
ZxBD3+3/zwbXnKpoBK7sf1m9zYUKou47H6jEm5gAtNxrwKBkhEGw6cWktwU7w/Sr
SKrJrBqSfSLZYTR6e4Nv/HCeSLJaf0vkIwZfJPXVyvpeqkCyUc7lIQsw9oAfs9oZ
Pg1qUKyfjFsaoRJPsJRizcm+blv6AHgUPF5r+Y+jownIINml5J42cJ2uOlx3S+82
CZEXMDYcfCgupLr9se93dMm7g/qbJqsBC1xKulpM5VM15XZyVzY=
=gYW1
-----END PGP SIGNATURE-----