Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2024-51744] Bump jwt to v5.2.1 to address CVE concerns #158

Merged
merged 1 commit into from
Jan 10, 2025
Merged

[CVE-2024-51744] Bump jwt to v5.2.1 to address CVE concerns #158

merged 1 commit into from
Jan 10, 2025

Conversation

RainbowMango
Copy link
Member

What type of PR is this?

/kind cleanup

What this PR does / why we need it:
This PR updates github.com/golang-jwt/jwt to v5.2.1 to address CVE concerns.

We are not affected as we do not use the ParseWithClaims function.

Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

@RainbowMango
Bump github.com/golang-jwt/jwt to v5.2.1 to address CVE concerns CVE-…
801b6ed 
…2024-51744

Signed-off-by: RainbowMango <qdurenhongcai@gmail.com>
@karmada-bot karmada-bot added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Jan 9, 2025
@RainbowMango RainbowMango changed the title [CVE-2024-51744] Bump github.com/golang-jwt/jwt to v5.2.1 to address CVE concerns [CVE-2024-51744] Bump jwt to v5.2.1 to address CVE concerns Jan 9, 2025
@karmada-bot karmada-bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jan 9, 2025
@RainbowMango RainbowMango mentioned this pull request Jan 9, 2025
Open
9 tasks
@RainbowMango
Copy link
Member Author

/assign @warjiang
I didn't test it locally, I think the CI tests can help it.

@warjiang
Copy link
Contributor

I've tested it locally, it works.
/lgtm
/approve

@karmada-bot karmada-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 10, 2025
@karmada-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: warjiang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot karmada-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 10, 2025
@karmada-bot karmada-bot merged commit 2859e33 into karmada-io:main Jan 10, 2025
6 checks passed
@RainbowMango RainbowMango deleted the pr_bump_jwt_v521 branch January 13, 2025 01:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devadapter devadapter Awaiting requested review from devadapter

@samzong samzong Awaiting requested review from samzong

Assignees

@warjiang warjiang

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@RainbowMango @warjiang @karmada-bot