Nixpkgs security tracker
Activity log
- Created suggestion
Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.
References
-
https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78 x_refsource_CONFIRM
-
https://github.com/authlib/authlib/releases/tag/v1.6.9 x_refsource_MISC
Affected products
- ==< 1.6.9
Matching in nixpkgs
pkgs.python312Packages.authlib
Library for building OAuth and OpenID Connect servers
pkgs.python313Packages.authlib
Library for building OAuth and OpenID Connect servers
pkgs.python314Packages.authlib
Library for building OAuth and OpenID Connect servers
pkgs.python312Packages.oauthlib
Generic, spec-compliant, thorough implementation of the OAuth request-signing logic
pkgs.python313Packages.oauthlib
Generic, spec-compliant, thorough implementation of the OAuth request-signing logic
pkgs.python314Packages.oauthlib
Generic, spec-compliant, thorough implementation of the OAuth request-signing logic
pkgs.python312Packages.hawkauthlib
Hawk Access Authentication protocol
pkgs.python313Packages.hawkauthlib
Hawk Access Authentication protocol
pkgs.python314Packages.hawkauthlib
Hawk Access Authentication protocol
pkgs.python312Packages.aiohttp-oauthlib
oauthlib integration for aiohttp clients
pkgs.python313Packages.aiohttp-oauthlib
oauthlib integration for aiohttp clients
pkgs.python314Packages.aiohttp-oauthlib
oauthlib integration for aiohttp clients
pkgs.python312Packages.requests-oauthlib
OAuthlib authentication support for Requests
pkgs.python313Packages.requests-oauthlib
OAuthlib authentication support for Requests
pkgs.python314Packages.requests-oauthlib
OAuthlib authentication support for Requests
pkgs.python312Packages.google-auth-oauthlib
Google Authentication Library: oauthlib integration
pkgs.python313Packages.google-auth-oauthlib
Google Authentication Library: oauthlib integration
pkgs.python314Packages.google-auth-oauthlib
Google Authentication Library: oauthlib integration
Package maintainers
-
@sumnerevans Sumner Evans <me@sumnerevans.com>
-
@flokli Florian Klink <flokli@flokli.de>
-
@terlar Terje Larsen <terlar@gmail.com>
-
@prikhi Pavan Rikhi <pavan.rikhi@gmail.com>
-
@sarahec Sarah Clark <seclark@nextquestion.net>