Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160 #21925

Merged
merged 1 commit into from
Jul 23, 2021

Commits on Jul 23, 2021

  1. chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160

    CVE-2020-26160[0] is an access restriction bypass under certain
    circumstances when validating audience checks. The original
    dgrijalva/jwt-go project is no longer maintained[1] and will not be
    issuing a fix for this CVE[2]. Instead, they have transferred ownership
    to golang-jwt/jwt[2][3][4].
    
    The following was performed:
    
    1. update chronograf and jsonweb to import golang-jwt/jwt
    2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible
    3. go mod edit -droprequire github.com/dgrijalva/jwt-go
    4. go mod tidy
    5. make
    6. make test
    
    References:
    [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
    [1] dgrijalva/jwt-go#462
    [2] dgrijalva/jwt-go#463
    [3] https://github.com/dgrijalva/jwt-go/blob/master/README.md
    [4] https://github.com/golang-jwt/jwt
    jdstrand committed Jul 23, 2021
    Configuration menu
    Copy the full SHA
    da3f54d View commit details
    Browse the repository at this point in the history