diff --git a/Authlib-1.3.0.tar.gz b/Authlib-1.3.0.tar.gz deleted file mode 100644 index 67c3215a85ef445658eccc7552386c63c2556336..0000000000000000000000000000000000000000 Binary files a/Authlib-1.3.0.tar.gz and /dev/null differ diff --git a/authlib-1.6.4.tar.gz b/authlib-1.6.4.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..0f6850805e5738da4ebd5f56ce951adb9256a7c8 Binary files /dev/null and b/authlib-1.6.4.tar.gz differ diff --git a/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch b/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch deleted file mode 100644 index f9d75d1cf35fc4f4e6d29b438581ab5476c9b4fd..0000000000000000000000000000000000000000 --- a/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 3bea812acefebc9ee108aa24557be3ba8971daf1 Mon Sep 17 00:00:00 2001 -From: Hsiaoming Yang -Date: Tue, 4 Jun 2024 11:34:43 +0900 -Subject: [PATCH] fix: prevent OctKey to import ssh/rsa/pem keys - -https://github.com/lepture/authlib/issues/654 ---- - authlib/jose/rfc7518/oct_key.py | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/authlib/jose/rfc7518/oct_key.py b/authlib/jose/rfc7518/oct_key.py -index 1db321a..44e1f72 100644 ---- a/authlib/jose/rfc7518/oct_key.py -+++ b/authlib/jose/rfc7518/oct_key.py -@@ -6,6 +6,16 @@ from authlib.common.security import generate_token - from ..rfc7517 import Key - - -+POSSIBLE_UNSAFE_KEYS = ( -+ b"-----BEGIN ", -+ b"---- BEGIN ", -+ b"ssh-rsa ", -+ b"ssh-dss ", -+ b"ssh-ed25519 ", -+ b"ecdsa-sha2-", -+) -+ -+ - class OctKey(Key): - """Key class of the ``oct`` key type.""" - -@@ -65,6 +75,11 @@ class OctKey(Key): - key._dict_data = raw - else: - raw_key = to_bytes(raw) -+ -+ # security check -+ if raw_key.startswith(POSSIBLE_UNSAFE_KEYS): -+ raise ValueError("This key may not be safe to import") -+ - key = cls(raw_key=raw_key, options=options) - return key - --- -2.33.0 - diff --git a/python-Authlib.spec b/python-Authlib.spec index d57d020f2835a5dcecc6bb55a0c174548d317758..1307133f563bb8f4e01aa05de54e3aff03444ab2 100644 --- a/python-Authlib.spec +++ b/python-Authlib.spec @@ -1,15 +1,13 @@ %global _empty_manifest_terminate_build 0 Name: python-Authlib -Version: 1.3.0 +Version: 1.6.4 Release: 1 Summary: The ultimate Python library in building OAuth and OpenID Connect servers and clients. License: BSD 3-Clause License URL: https://authlib.org/ -Source0: https://files.pythonhosted.org/packages/source/A/Authlib/Authlib-1.3.0.tar.gz +Source0: https://files.pythonhosted.org/packages/source/a/authlib/authlib-%{version}.tar.gz BuildArch: noarch -Patch0001: backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch - Requires: python3-cryptography %description @@ -34,7 +32,7 @@ The ultimate Python library in building OAuth and OpenID Connect servers. JWS, JWK, JWA, JWT are included. %prep -%autosetup -p1 -n Authlib-1.3.0 +%autosetup -p1 -n authlib-%{version} %build %py3_build @@ -74,6 +72,13 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Wed Sep 24 2025 jinshuaiyu - 1.6.4-1 +- update to v1.6.4 +- fix CVE-2025-59420 +- fix(jose): prevent public/unprotected header overwriting protected header +- Fix InsecureTransportError raising +- Add conventional-commits pre-commit hook + * Fri Feb 28 2025 gongzhengtang - 1.3.0-1 - update to v1.3.0