-
Notifications
You must be signed in to change notification settings - Fork 145
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to go-jose/v4 #583
Comments
We will have a look at this. Meanwhile I would like to note that the linked vulnerability only applies to |
Thanks! Due to how Debian's packaging works for Go libraries, it's hard to have different major versions of a library in parallel without creating a unique package for each version. I think that would be overkill for the case of go-jose, so hopefully this isn't too hard of a change to make. |
This change updates to go-jose v4, which was a new major release. jose.ParseSigned now expects the supported signing algorithms to be passed, on which we previously did our own check. As they use a dedicated type for this, the slice of string needs to be converted. The returned error also need to be handled in a non-standard way in order to stay compatible. For OIDC v4 we should use the jose.SignatureAlgorithm type directly and wrap errors, instead of returned static defined errors. Closes #583
This change updates to go-jose v4, which was a new major release. jose.ParseSigned now expects the supported signing algorithms to be passed, on which we previously did our own check. As they use a dedicated type for this, the slice of string needs to be converted. The returned error also need to be handled in a non-standard way in order to stay compatible. For OIDC v4 we should use the jose.SignatureAlgorithm type directly and wrap errors, instead of returned static defined errors. Closes #583
All done! Its nice to hear this project is included in Debian. |
🎉 Thanks! |
Preflight Checklist
Describe your problem
go-jose/v4 was released about a month ago, with version 4.0.1 fixing CVE-2024-28180. I'd like to update the packaging of this library in Debian, but there was an API change in go-jose/v4 that requires specifying the expected algorithm(s) when calling
ParseSigned()
(go-jose/go-jose#69). It doesn't look that hard to fix, but I'm not familiar enough with the zitadel/oidc codebase to confidently submit a pull request fixing this.Describe your ideal solution
Update to go-jose/v4.
Version
3.19.0
Environment
Self-hosted
Additional Context
My ultimate goal is to update zitadel/oidc in Debian so I can package and upload the latest release of Incus, which uses this library.
The text was updated successfully, but these errors were encountered: