python-authlib (0.15.5-1ubuntu0.1~esm1) jammy-security; urgency=medium

  * SECURITY UPDATE: JWT algorithm confusion due to missing verification
    algorithm enforcement
    - debian/patches/CVE-2024-37568.patch: Block asymmetric key material in
      `OctKey.import_key()` via unsafe key prefix checks in
      authlib/jose/rfc7518/oct_key.py
    - CVE-2024-37568
  * SECURITY UPDATE: Improper JWS critical header validation due to violating
    RFC 7515 semantics
    - debian/patches/CVE-2025-59420.patch: Add strict `crit` header enforcement
      in authlib/jose/rfc7515/jws.py and introduce
      `InvalidCritHeaderParameterNameError` in authlib/jose/errors.py
    - CVE-2025-59420
  * SECURITY UPDATE: Denial of service due to unbounded JWS/JWT segment size
    handling
    - debian/patches/CVE-2025-61920.patch: Enforce JWS input length limits
      (`MAX_CONTENT_LENGTH`) in authlib/jose/rfc7515/jws.py and
      authlib/jose/util.py
    - CVE-2025-61920
  * SECURITY UPDATE: Denial of service due to unbounded DEFLATE decompression
    of JWE compressed payload
    - debian/patches/CVE-2025-62706.patch: Bound JWE `zip=DEF` decompression
      using `MAX_SIZE` in authlib/jose/rfc7518/jwe_zips.py
    - CVE-2025-62706

 -- Shafayat Hossain Majumder <shafayat.majumder@canonical.com>  Wed, 18 Feb 2026 15:25:31 -0500

python-authlib (0.15.5-1) unstable; urgency=medium

  * New upstream release.
  * Drop patch werkzeug-2.0.0, superseded upstream.

 -- Stefano Rivera <stefanor@debian.org>  Tue, 19 Oct 2021 20:45:42 -0700

python-authlib (0.15.4-2) unstable; urgency=medium

  * Patch: Support werkzeug >= 2.0.0.
  * Bump Standards-Version to 4.6.0, no changes needed.
  * Bump debhelper compat level to 13.

 -- Stefano Rivera <stefanor@debian.org>  Tue, 12 Oct 2021 00:54:43 -0700

python-authlib (0.15.4-1) unstable; urgency=medium

  * New upstream point release, fixing a security issue.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 07 Jul 2021 19:32:08 -0400

python-authlib (0.15.3-1) unstable; urgency=medium

  [ Stefano Rivera ]
  * New upstream release.
  * Bump Standards-Version to 4.5.1, no changes needed.
  * Bump copyright years.

  [ Debian Janitor ]
  * Set upstream metadata fields: Repository.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 20 Jan 2021 11:21:23 -0700

python-authlib (0.15.2-1) unstable; urgency=medium

  * New upstream release.
  * Add upstream metadata.

 -- Stefano Rivera <stefanor@debian.org>  Fri, 30 Oct 2020 11:56:19 -0700

python-authlib (0.15.1-1) unstable; urgency=medium

  * New upstream release.
  * Refresh patches.
  * Build-Depend on python3-itsdangerous for tests.
  * Drop Build-Depends for starelette test suite, not shipped in upstream
    source.
  * Run the 3 test suites separately, as upstream does. They fail otherwise.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 14 Oct 2020 21:16:12 -0700

python-authlib (0.14.3-2) unstable; urgency=medium

  * Upload to unstable.
  * Update Maintainer email for DPMT & PAPT merger.
  * Update Vcs URLs for DPMT & PAPT merger.

 -- Stefano Rivera <stefanor@debian.org>  Wed, 23 Sep 2020 13:36:52 -0700

python-authlib (0.14.3-1) experimental; urgency=low

  * Initial Release (Closes: #968644)

 -- Stefano Rivera <stefanor@debian.org>  Wed, 19 Aug 2020 15:14:48 -0700
