SUSE-SU-2026:20839-1: important: Security update for python-PyJWT
SLE-SECURITY-UPDATES
null at suse.de
Fri Mar 27 13:14:26 UTC 2026
# Security update for python-PyJWT
Announcement ID: SUSE-SU-2026:20839-1
Release Date: 2026-03-25T18:07:39Z
Rating: important
References:
* bsc#1259616
Cross-References:
* CVE-2026-32597
CVSS scores:
* CVE-2026-32597 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-32597 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-32597 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products:
* SUSE Linux Micro 6.2
An update that solves one vulnerability can now be installed.
## Description:
This update for python-PyJWT fixes the following issue:
Update to PyJWT 2.12.1:
* CVE-2026-32597: PyJWT accepts unknown `crit` header extensions
(bsc#1259616).
Changelog:
Update to 2.12.1:
* Add missing typing_extensions dependency for Python < 3.11 in #1150
Update to 2.12.0:
* Annotate PyJWKSet.keys for pyright by @tamird in #1134
* Close HTTPError response to prevent ResourceWarning on Python 3.14 by
@veeceey in #1133
* Do not keep algorithms dict in PyJWK instances by @akx in #1143
* Use PyJWK algorithm when encoding without explicit algorithm in #1148
* Docs: Add PyJWKClient API reference and document the two-tier caching system
(JWK Set cache and signing key LRU cache).
Update to 2.11.0:
* Enforce ECDSA curve validation per RFC 7518 Section 3.4.
* Fix build system warnings by @kurtmckee in #1105
* Validate key against allowed types for Algorithm family in #964
* Add iterator for JWKSet in #1041
* Validate iss claim is a string during encoding and decoding by @pachewise in
#1040
* Improve typing/logic for options in decode, decode_complete by @pachewise in
#1045
* Declare float supported type for lifespan and timeout by @nikitagashkov in
#1068
* Fix SyntaxWarnings/DeprecationWarnings caused by invalid escape sequences by
@kurtmckee in #1103
* Development: Build a shared wheel once to speed up test suite setup times by
@kurtmckee in #1114
* Development: Test type annotations across all supported Python versions,
increase the strictness of the type checking, and remove the mypy pre-commit
hook by @kurtmckee in #1112
* Support Python 3.14, and test against PyPy 3.10 and 3.11 by @kurtmckee in
#1104
* Development: Migrate to build to test package building in CI by @kurtmckee
in #1108
* Development: Improve coverage config and eliminate unused test suite code by
@kurtmckee in #1115
* Docs: Standardize CHANGELOG links to PRs by @kurtmckee in #1110
* Docs: Fix Read the Docs builds by @kurtmckee in #1111
* Docs: Add example of using leeway with nbf by @djw8605 in #1034
* Docs: Refactored docs with autodoc; added PyJWS and jwt.algorithms docs by
@pachewise in #1045
* Docs: Documentation improvements for "sub" and "jti" claims by @cleder in
#1088
* Development: Add pyupgrade as a pre-commit hook by @kurtmckee in #1109
* Add minimum key length validation for HMAC and RSA keys (CWE-326). Warns by
default via InsecureKeyLengthWarning when keys are below minimum recommended
lengths per RFC 7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass
enforce_minimum_key_length=True in options to PyJWT or PyJWS to raise
InvalidKeyError instead.
* Refactor PyJWT to own an internal PyJWS instance instead of calling global
api_jws functions.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.2
zypper in -t patch SUSE-SL-Micro-6.2-445=1
## Package List:
* SUSE Linux Micro 6.2 (noarch)
* python313-PyJWT-2.12.1-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2026-32597.html
* https://bugzilla.suse.com/show_bug.cgi?id=1259616
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260327/3ab14e26/attachment-0001.htm>
More information about the sle-security-updates
mailing list