Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
influxdb/jsonweb
History
Jamie Strandboge bf5965d22b
chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160 (#21925) 
CVE-2020-26160[0] is an access restriction bypass under certain
circumstances when validating audience checks. The original
dgrijalva/jwt-go project is no longer maintained[1] and will not be
issuing a fix for this CVE[2]. Instead, they have transferred ownership
to golang-jwt/jwt[2][3][4].

The following was performed:

1. update chronograf and jsonweb to import golang-jwt/jwt
2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible
3. go mod edit -droprequire github.com/dgrijalva/jwt-go
4. go mod tidy
5. make
6. make test

References:
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
[1] dgrijalva/jwt-go#462
[2] dgrijalva/jwt-go#463
[3] https://github.com/dgrijalva/jwt-go/blob/master/README.md
[4] https://github.com/golang-jwt/jwt
 		2021-07-23 15:19:11 -05:00
..
fuzz.go feat: Add initial OSS-Fuzz testing integration 2020-07-07 11:46:35 -07:00
token.go chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160 (#21925) 2021-07-23 15:19:11 -05:00
token_test.go chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160 (#21925) 2021-07-23 15:19:11 -05:00