SUSE-SU-2026:20879-1
Vulnerability from csaf_suse - Published: 2026-03-26 08:57 - Updated: 2026-03-26 08:57Summary
Security update for python-PyJWT
Severity
Important
Notes
Title of the patch: Security update for python-PyJWT
Description of the patch: This update for python-PyJWT fixes the following issues:
Update to PyJWT 2.12.1:
- CVE-2024-53861: prevent partial matching of the Issuer field (bsc#1234038).
- CVE-2026-32597: validate the crit Header Parameter defined in RFC 7515 (bsc#1259616).
Changelog:
Update to 2.12.1:
- Add missing typing_extensions dependency for Python < 3.11 in
#1150
Update to 2.12.0:
- Annotate PyJWKSet.keys for pyright by @tamird in #1134
- Close HTTPError response to prevent ResourceWarning on
Python 3.14 by @veeceey in #1133
- Do not keep algorithms dict in PyJWK instances by @akx in
#1143
- Use PyJWK algorithm when encoding without explicit
algorithm in #1148
- Docs: Add PyJWKClient API reference and document the
two-tier caching system (JWK Set cache and signing key LRU
cache).
Update to 2.11.0:
- Enforce ECDSA curve validation per RFC 7518 Section 3.4.
- Fix build system warnings by @kurtmckee in #1105
- Validate key against allowed types for Algorithm family in
#964
- Add iterator for JWKSet in #1041
- Validate iss claim is a string during encoding and decoding
by @pachewise in #1040
- Improve typing/logic for options in decode, decode_complete
by @pachewise in #1045
- Declare float supported type for lifespan and timeout by
@nikitagashkov in #1068
- Fix SyntaxWarnings/DeprecationWarnings caused by invalid
escape sequences by @kurtmckee in #1103
- Development: Build a shared wheel once to speed up test
suite setup times by @kurtmckee in #1114
- Development: Test type annotations across all supported
Python versions, increase the strictness of the type
checking, and remove the mypy pre-commit hook by @kurtmckee
in #1112
- Support Python 3.14, and test against PyPy 3.10 and 3.11 by
@kurtmckee in #1104
- Development: Migrate to build to test package building in
CI by @kurtmckee in #1108
- Development: Improve coverage config and eliminate unused
test suite code by @kurtmckee in #1115
- Docs: Standardize CHANGELOG links to PRs by @kurtmckee in
#1110
- Docs: Fix Read the Docs builds by @kurtmckee in #1111
- Docs: Add example of using leeway with nbf by @djw8605 in
#1034
- Docs: Refactored docs with autodoc; added PyJWS and
jwt.algorithms docs by @pachewise in #1045
- Docs: Documentation improvements for "sub" and "jti" claims
by @cleder in #1088
- Development: Add pyupgrade as a pre-commit hook by
@kurtmckee in #1109
- Add minimum key length validation for HMAC and RSA keys
(CWE-326). Warns by default via InsecureKeyLengthWarning
when keys are below minimum recommended lengths per RFC
7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass
enforce_minimum_key_length=True in options to PyJWT or
PyJWS to raise InvalidKeyError instead.
- Refactor PyJWT to own an internal PyJWS instance instead of
calling global api_jws functions.
Update to 2.10.0:
* chore: use sequence for typing rather than list
* Add support for Python 3.13
* [pre-commit.ci] pre-commit autoupdate
* Add an RTD config file to resolve RTD build failures
* docs: Update iat exception docs
* Remove algorithm requirement for JWT API
* Create SECURITY.md
* docs fix: decode_complete scope and algorithms
* fix doctest for docs/usage.rst
* fix test_utils.py not to xfail
* Correct jwt.decode audience param doc expression
* Add PS256 encoding and decoding usage
* Add API docs for PyJWK
* Refactor project configuration files from setup.cfg to pyproject.toml PEP-518
* Add JWK support to JWT encode
* Update pre-commit hooks to lint pyproject.toml
* Add EdDSA algorithm encoding/decoding usage
* Ruff linter and formatter changes
* Validate sub and jti claims for the token
* Add ES256 usage
* Encode EC keys with a fixed bit length
* Drop support for Python 3.8
* Prepare 2.10.0 release
* Bump codecov/codecov-action from 4 to 5
Patchnames: SUSE-SLE-Micro-6.1-463
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-PyJWT",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-PyJWT fixes the following issues:\n\nUpdate to PyJWT 2.12.1:\n\n- CVE-2024-53861: prevent partial matching of the Issuer field (bsc#1234038).\n- CVE-2026-32597: validate the crit Header Parameter defined in RFC 7515 (bsc#1259616).\n\nChangelog:\n\nUpdate to 2.12.1:\n\n - Add missing typing_extensions dependency for Python \u003c 3.11 in\n #1150\n \nUpdate to 2.12.0:\n\n - Annotate PyJWKSet.keys for pyright by @tamird in #1134\n - Close HTTPError response to prevent ResourceWarning on\n Python 3.14 by @veeceey in #1133\n - Do not keep algorithms dict in PyJWK instances by @akx in\n #1143\n - Use PyJWK algorithm when encoding without explicit\n algorithm in #1148\n - Docs: Add PyJWKClient API reference and document the\n two-tier caching system (JWK Set cache and signing key LRU\n cache). \n\nUpdate to 2.11.0:\n \n - Enforce ECDSA curve validation per RFC 7518 Section 3.4.\n - Fix build system warnings by @kurtmckee in #1105\n - Validate key against allowed types for Algorithm family in\n #964\n - Add iterator for JWKSet in #1041\n - Validate iss claim is a string during encoding and decoding\n by @pachewise in #1040\n - Improve typing/logic for options in decode, decode_complete\n by @pachewise in #1045\n - Declare float supported type for lifespan and timeout by\n @nikitagashkov in #1068\n - Fix SyntaxWarnings/DeprecationWarnings caused by invalid\n escape sequences by @kurtmckee in #1103\n - Development: Build a shared wheel once to speed up test\n suite setup times by @kurtmckee in #1114\n - Development: Test type annotations across all supported\n Python versions, increase the strictness of the type\n checking, and remove the mypy pre-commit hook by @kurtmckee\n in #1112\n - Support Python 3.14, and test against PyPy 3.10 and 3.11 by\n @kurtmckee in #1104\n - Development: Migrate to build to test package building in\n CI by @kurtmckee in #1108\n - Development: Improve coverage config and eliminate unused\n test suite code by @kurtmckee in #1115\n - Docs: Standardize CHANGELOG links to PRs by @kurtmckee in\n #1110\n - Docs: Fix Read the Docs builds by @kurtmckee in #1111\n - Docs: Add example of using leeway with nbf by @djw8605 in\n #1034\n - Docs: Refactored docs with autodoc; added PyJWS and\n jwt.algorithms docs by @pachewise in #1045\n - Docs: Documentation improvements for \"sub\" and \"jti\" claims\n by @cleder in #1088\n - Development: Add pyupgrade as a pre-commit hook by\n @kurtmckee in #1109\n - Add minimum key length validation for HMAC and RSA keys\n (CWE-326). Warns by default via InsecureKeyLengthWarning\n when keys are below minimum recommended lengths per RFC\n 7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass\n enforce_minimum_key_length=True in options to PyJWT or\n PyJWS to raise InvalidKeyError instead.\n - Refactor PyJWT to own an internal PyJWS instance instead of\n calling global api_jws functions.\n \nUpdate to 2.10.0:\n \n * chore: use sequence for typing rather than list\n * Add support for Python 3.13\n * [pre-commit.ci] pre-commit autoupdate\n * Add an RTD config file to resolve RTD build failures\n * docs: Update iat exception docs\n * Remove algorithm requirement for JWT API\n * Create SECURITY.md\n * docs fix: decode_complete scope and algorithms\n * fix doctest for docs/usage.rst\n * fix test_utils.py not to xfail\n * Correct jwt.decode audience param doc expression\n * Add PS256 encoding and decoding usage\n * Add API docs for PyJWK\n * Refactor project configuration files from setup.cfg to pyproject.toml PEP-518\n * Add JWK support to JWT encode\n * Update pre-commit hooks to lint pyproject.toml\n * Add EdDSA algorithm encoding/decoding usage\n * Ruff linter and formatter changes\n * Validate sub and jti claims for the token\n * Add ES256 usage\n * Encode EC keys with a fixed bit length\n * Drop support for Python 3.8\n * Prepare 2.10.0 release\n * Bump codecov/codecov-action from 4 to 5\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-463",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20879-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20879-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620879-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20879-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/025052.html"
},
{
"category": "self",
"summary": "SUSE Bug 1234038",
"url": "https://bugzilla.suse.com/1234038"
},
{
"category": "self",
"summary": "SUSE Bug 1259616",
"url": "https://bugzilla.suse.com/1259616"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-53861 page",
"url": "https://www.suse.com/security/cve/CVE-2024-53861/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32597 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32597/"
}
],
"title": "Security update for python-PyJWT",
"tracking": {
"current_release_date": "2026-03-26T08:57:07Z",
"generator": {
"date": "2026-03-26T08:57:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20879-1",
"initial_release_date": "2026-03-26T08:57:07Z",
"revision_history": [
{
"date": "2026-03-26T08:57:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch",
"product": {
"name": "python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch",
"product_id": "python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
},
"product_reference": "python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-53861",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-53861"
}
],
"notes": [
{
"category": "general",
"text": "pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `\"acb\"` being accepted for `\"_abc_\"`. This is a bug introduced in version 2.10.0: checking the \"iss\" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if \"abc\" not in \"__abcd__\":` being checked instead of `if \"abc\" != \"__abc__\":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-53861",
"url": "https://www.suse.com/security/cve/CVE-2024-53861"
},
{
"category": "external",
"summary": "SUSE Bug 1234038 for CVE-2024-53861",
"url": "https://bugzilla.suse.com/1234038"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-26T08:57:07Z",
"details": "important"
}
],
"title": "CVE-2024-53861"
},
{
"cve": "CVE-2026-32597",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32597"
}
],
"notes": [
{
"category": "general",
"text": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32597",
"url": "https://www.suse.com/security/cve/CVE-2026-32597"
},
{
"category": "external",
"summary": "SUSE Bug 1259616 for CVE-2026-32597",
"url": "https://bugzilla.suse.com/1259616"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:python311-PyJWT-2.12.1-slfo.1.1_1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-26T08:57:07Z",
"details": "important"
}
],
"title": "CVE-2026-32597"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…