OPENSUSE-SU-2026:20431-1

Vulnerability from csaf_opensuse - Published: 2026-03-25 18:07 - Updated: 2026-03-25 18:07
Summary
Security update for python-PyJWT
Severity
Important
Notes
Title of the patch: Security update for python-PyJWT
Description of the patch: This update for python-PyJWT fixes the following issue: Update to PyJWT 2.12.1: - CVE-2026-32597: PyJWT accepts unknown `crit` header extensions (bsc#1259616). Changelog: Update to 2.12.1: - Add missing typing_extensions dependency for Python < 3.11 in #1150 Update to 2.12.0: - Annotate PyJWKSet.keys for pyright by @tamird in #1134 - Close HTTPError response to prevent ResourceWarning on Python 3.14 by @veeceey in #1133 - Do not keep algorithms dict in PyJWK instances by @akx in #1143 - Use PyJWK algorithm when encoding without explicit algorithm in #1148 - Docs: Add PyJWKClient API reference and document the two-tier caching system (JWK Set cache and signing key LRU cache). Update to 2.11.0: - Enforce ECDSA curve validation per RFC 7518 Section 3.4. - Fix build system warnings by @kurtmckee in #1105 - Validate key against allowed types for Algorithm family in #964 - Add iterator for JWKSet in #1041 - Validate iss claim is a string during encoding and decoding by @pachewise in #1040 - Improve typing/logic for options in decode, decode_complete by @pachewise in #1045 - Declare float supported type for lifespan and timeout by @nikitagashkov in #1068 - Fix SyntaxWarnings/DeprecationWarnings caused by invalid escape sequences by @kurtmckee in #1103 - Development: Build a shared wheel once to speed up test suite setup times by @kurtmckee in #1114 - Development: Test type annotations across all supported Python versions, increase the strictness of the type checking, and remove the mypy pre-commit hook by @kurtmckee in #1112 - Support Python 3.14, and test against PyPy 3.10 and 3.11 by @kurtmckee in #1104 - Development: Migrate to build to test package building in CI by @kurtmckee in #1108 - Development: Improve coverage config and eliminate unused test suite code by @kurtmckee in #1115 - Docs: Standardize CHANGELOG links to PRs by @kurtmckee in #1110 - Docs: Fix Read the Docs builds by @kurtmckee in #1111 - Docs: Add example of using leeway with nbf by @djw8605 in #1034 - Docs: Refactored docs with autodoc; added PyJWS and jwt.algorithms docs by @pachewise in #1045 - Docs: Documentation improvements for "sub" and "jti" claims by @cleder in #1088 - Development: Add pyupgrade as a pre-commit hook by @kurtmckee in #1109 - Add minimum key length validation for HMAC and RSA keys (CWE-326). Warns by default via InsecureKeyLengthWarning when keys are below minimum recommended lengths per RFC 7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass enforce_minimum_key_length=True in options to PyJWT or PyJWS to raise InvalidKeyError instead. - Refactor PyJWT to own an internal PyJWS instance instead of calling global api_jws functions.
Patchnames: openSUSE-Leap-16.0-445
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
CVE-2026-32597
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-PyJWT",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-PyJWT fixes the following issue:\n\nUpdate to PyJWT 2.12.1:\n\n- CVE-2026-32597: PyJWT accepts unknown `crit` header extensions (bsc#1259616).\n\nChangelog:\n\nUpdate to 2.12.1:\n\n - Add missing typing_extensions dependency for Python \u003c 3.11 in\n   #1150\n\nUpdate to 2.12.0:\n\n - Annotate PyJWKSet.keys for pyright by @tamird in #1134\n - Close HTTPError response to prevent ResourceWarning on\n   Python 3.14 by @veeceey in #1133\n - Do not keep algorithms dict in PyJWK instances by @akx in\n   #1143\n - Use PyJWK algorithm when encoding without explicit\n   algorithm in #1148\n - Docs: Add PyJWKClient API reference and document the\n   two-tier caching system (JWK Set cache and signing key LRU\n   cache).\n\nUpdate to 2.11.0:\n\n - Enforce ECDSA curve validation per RFC 7518 Section 3.4.\n - Fix build system warnings by @kurtmckee in #1105\n - Validate key against allowed types for Algorithm family in\n   #964\n - Add iterator for JWKSet in #1041\n - Validate iss claim is a string during encoding and decoding\n   by @pachewise in #1040\n - Improve typing/logic for options in decode, decode_complete\n    by @pachewise in #1045\n - Declare float supported type for lifespan and timeout by\n   @nikitagashkov in #1068\n - Fix SyntaxWarnings/DeprecationWarnings caused by invalid\n   escape sequences by @kurtmckee in #1103\n - Development: Build a shared wheel once to speed up test\n   suite setup times by @kurtmckee in #1114\n - Development: Test type annotations across all supported\n   Python versions, increase the strictness of the type\n   checking, and remove the mypy pre-commit hook by @kurtmckee\n   in #1112\n - Support Python 3.14, and test against PyPy 3.10 and 3.11 by\n   @kurtmckee in #1104\n - Development: Migrate to build to test package building in\n   CI by @kurtmckee in #1108\n - Development: Improve coverage config and eliminate unused\n   test suite code by @kurtmckee in #1115\n - Docs: Standardize CHANGELOG links to PRs by @kurtmckee in\n   #1110\n - Docs: Fix Read the Docs builds by @kurtmckee in #1111\n - Docs: Add example of using leeway with nbf by @djw8605 in\n   #1034\n - Docs: Refactored docs with autodoc; added PyJWS and\n   jwt.algorithms docs by @pachewise in #1045\n - Docs: Documentation improvements for \"sub\" and \"jti\" claims\n   by @cleder in #1088\n - Development: Add pyupgrade as a pre-commit hook by\n   @kurtmckee in #1109\n - Add minimum key length validation for HMAC and RSA keys\n   (CWE-326). Warns by default via InsecureKeyLengthWarning\n   when keys are below minimum recommended lengths per RFC\n   7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass\n   enforce_minimum_key_length=True in options to PyJWT or\n   PyJWS to raise InvalidKeyError instead.\n - Refactor PyJWT to own an internal PyJWS instance instead of\n   calling global api_jws functions.\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Leap-16.0-445",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20431-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1259616",
        "url": "https://bugzilla.suse.com/1259616"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32597 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32597/"
      }
    ],
    "title": "Security update for python-PyJWT",
    "tracking": {
      "current_release_date": "2026-03-25T18:07:39Z",
      "generator": {
        "date": "2026-03-25T18:07:39Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:20431-1",
      "initial_release_date": "2026-03-25T18:07:39Z",
      "revision_history": [
        {
          "date": "2026-03-25T18:07:39Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python313-PyJWT-2.12.1-160000.1.1.noarch",
                "product": {
                  "name": "python313-PyJWT-2.12.1-160000.1.1.noarch",
                  "product_id": "python313-PyJWT-2.12.1-160000.1.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 16.0",
                "product": {
                  "name": "openSUSE Leap 16.0",
                  "product_id": "openSUSE Leap 16.0"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-PyJWT-2.12.1-160000.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch"
        },
        "product_reference": "python313-PyJWT-2.12.1-160000.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32597",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32597"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32597",
          "url": "https://www.suse.com/security/cve/CVE-2026-32597"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259616 for CVE-2026-32597",
          "url": "https://bugzilla.suse.com/1259616"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:python313-PyJWT-2.12.1-160000.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-25T18:07:39Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32597"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.