Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160 #21925

Merged
merged 1 commit into from
Jul 23, 2021
Merged

chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160 #21925

merged 1 commit into from
Jul 23, 2021

Conversation

jdstrand
Copy link
Contributor

@jdstrand jdstrand commented Jul 22, 2021
edited
Loading

CVE-2020-26160[0] is an access restriction bypass under certain
circumstances when validating audience checks. The original
dgrijalva/jwt-go project is no longer maintained[1] and will not be
issuing a fix for this CVE[2]. Instead, they have transferred ownership
to golang-jwt/jwt[2][3][4].

The following was performed:

  1. update chronograf and jsonweb to import golang-jwt/jwt
  2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible
  3. go mod edit -droprequire github.com/dgrijalva/jwt-go
  4. go mod tidy
  5. make
  6. make test

Note: 1.x is not affected since 1.8.4rc and 1.9.0rc pulled in a prerelease version of dgrijalva/jwt-go v4 that had the fix. We should move 1.x to golang-jwt/jwt, but that s for future maintenance and not a security fix.

References:
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
[1] dgrijalva/jwt-go#462
[2] dgrijalva/jwt-go#463
[3] https://github.com/dgrijalva/jwt-go/blob/master/README.md
[4] https://github.com/golang-jwt/jwt

This was referenced Jul 22, 2021
Closed
Closed
@jdstrand jdstrand requested review from danxmoran and williamhbaker and removed request for danxmoran July 23, 2021 14:33
@jdstrand jdstrand mentioned this pull request Jul 23, 2021
Merged
4 tasks
@jdstrand
chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160
da3f54d 
CVE-2020-26160[0] is an access restriction bypass under certain
circumstances when validating audience checks. The original
dgrijalva/jwt-go project is no longer maintained[1] and will not be
issuing a fix for this CVE[2]. Instead, they have transferred ownership
to golang-jwt/jwt[2][3][4].

The following was performed:

1. update chronograf and jsonweb to import golang-jwt/jwt
2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible
3. go mod edit -droprequire github.com/dgrijalva/jwt-go
4. go mod tidy
5. make
6. make test

References:
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
[1] dgrijalva/jwt-go#462
[2] dgrijalva/jwt-go#463
[3] https://github.com/dgrijalva/jwt-go/blob/master/README.md
[4] https://github.com/golang-jwt/jwt
williamhbaker
williamhbaker approved these changes Jul 23, 2021
View reviewed changes
Copy link
Contributor

@williamhbaker williamhbaker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jdstrand jdstrand merged commit bf5965d into influxdata:master Jul 23, 2021
@jdstrand
Copy link
Contributor Author

Thanks for the review!

@jdstrand jdstrand deleted the jdstrand/update-jwt-go branch July 26, 2021 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@williamhbaker williamhbaker williamhbaker approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jdstrand @williamhbaker