[release/2.7] github.com/golang-jwt/jwt v3.2.2 #3466
Conversation
Codecov Report
@@ Coverage Diff @@
## release/2.7 #3466 +/- ##
============================================
Coverage 58.77% 58.77%
============================================
Files 102 102
Lines 7085 7085
============================================
Hits 4164 4164
Misses 2280 2280
Partials 641 641 Continue to review full report at Codecov.
|
|
From #3465 (comment)
Looks like there's another fork as well (and that's the "official" replacement?) |
thaJeztah
changed the title
| exp, ok := m["exp"] | ||
| if !ok { | ||
| return !req | ||
| } | ||
| switch expType := exp.(type) { | ||
| switch exp := m["exp"].(type) { |
There was a problem hiding this comment.
Looks like the official repository does not have the security fix that the orm3tech-oss/jwt-go fork has; switching to github.com/golang-jwt/jwt removes these changes, which seem to be related to that security fix: form3tech-oss/jwt-go@v3.2.3...v3.2.4 (see form3tech-oss/jwt-go#14)
There was a problem hiding this comment.
I believe golang-jwt/jwt v3.2.1 fixed CVE-2020-26160 with different code: golang-jwt/jwt@0f726ea
There was a problem hiding this comment.
The equivalent to that one is in form3tech-oss/jwt-go@bb5e6d8 for the form3tech repository. Looks like v3.2.4 is fixing a different security issue?
There was a problem hiding this comment.
In that case the fix for CVE-2020-26160 is in form3tech-oss/jwt.go v3.2.2 and both #3459 and #3465 do fix CVE-2020-26160.
There was a problem hiding this comment.
Correct. I suspect no CVE has been requested for the security fix in form3tech-oss/jwt-go v3.2.4. If it's verified to be a security issue, a CVE should probably be requested (both for form3tech-oss/jwt-go, and for github.com/golang-jwt/jwt / dgrijalva/jwt-go)
There was a problem hiding this comment.
Shall we merge those two PRs while we wait for the situation with this new vulerability to be resolved upstream or do you think the workaround in this PR is a better fix for right now?
There was a problem hiding this comment.
My concern with #3465 is that it's pulling in 5.6k lines of code that's unrelated to the security fix (and which would have to be reviewed), with the goal to pull in a security fix that's < 50 lines. And (worse?) switching to a non-official fork (which, based on the go.mod addition, is at least somewhat "dubious" on quality).
From that perspective, I'd rather take the official fork (ideally with golang-jwt/jwt#40, if that's confirmed to be an issue), as is done in this PR.
For the main branch, I don't think there's an direct urgency to get it merged, unless a v3.0.0 release is pending.
thaJeztah
force-pushed
the
2.7_update_jwt
branch
from
9c170a3
to
71b608f
Compare
|
Looks like https://github.com/golang-jwt/jwt is the best option, and golang-jwt/jwt#40 is currently being reviewed, so I squashed the commits, and went for that fork (as it's the official replacement). |
thaJeztah
force-pushed
the
2.7_update_jwt
branch
from
71b608f
to
77892d6
Compare
thaJeztah
changed the title
|
Updated to v3.2.2, which was just released |
|
Looks like we need to update Golang as well; |
|
ok, works with Go 1.16, but should be moved to a separate PR |
thaJeztah
force-pushed
the
2.7_update_jwt
branch
from
2b076bf
to
430c232
Compare
thaJeztah
force-pushed
the
2.7_update_jwt
branch
from
430c232
to
de4bb77
Compare
|
opened #3472 |
to address CVE-2020-26160 full diff: golang-jwt/jwt@a601269...v3.2.2 3.2.1 release notes --------------------------------------- - Import Path Change: See MIGRATION_GUIDE.md for tips on updating your code Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt - Fixed type confusion issue between string and []string in VerifyAudience. This fixes CVE-2020-26160 3.2.2 release notes --------------------------------------- - Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16. - Fixed a potential issue that could occur when the verification of exp, iat or nbf was not required and contained invalid contents, i.e. non-numeric/date. Thanks for @thaJeztah for making us aware of that and @giorgos-f3 for originally reporting it to the formtech fork. - Added support for EdDSA / ED25519. - Optimized allocations. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
force-pushed
the
2.7_update_jwt
branch
from
de4bb77
to
c5679da
Compare
|
Rebased, because #3472 was merged |
|
Thinking a bit more about this PR: does this project actually perform the validation of the JWT token? Because if not, then this patch may not be needed at all |
|
@thaJeztah distribution has |
Ah, thanks for checking! |
closes #3465
relates to #3361
relates to #3459 (main branch)
alternative to #3465
closes #3465
Using the https://github.com/form3tech-oss/jwt-go.git, which is actively maintained.full diff: form3tech-oss/jwt-go@a601269...v3.2.4to address CVE-2020-26160
full diff: golang-jwt/jwt@a601269...v3.2.2
3.2.1 release notes
Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt
This fixes CVE-2020-26160
3.2.2 release notes
recent versions of Go currently available. By the time of this release, this
is Go 1.15 and 1.16.
or nbf was not required and contained invalid contents, i.e. non-numeric/date.
Thanks for @thaJeztah for making us aware of that and @giorgos-f3 for originally
reporting it to the formtech fork.