Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450 #1237

Merged
merged 1 commit into from
Aug 8, 2022
Merged

go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450 #1237

merged 1 commit into from
Aug 8, 2022

Conversation

denopink
Copy link
Contributor

@denopink denopink commented Jun 27, 2022
edited
Loading

Current version of https://github.com/nats-io/jwt/v2 (v2.0.3) and github.com/nats-io/nats-server/v2 (v2.5.0) are affected by CVE-2021-3127 & CVE-2022-24450 in that this project got flagged by security scans. Both of these libs at their current version require nats-io/jwt v1.2.2 or nats-io/jwt/v2 v2.0.3 (which itself requires nats-io/jwt v1.2.2) and are both affected by CVE-2021-3127. nats-io/nats-server/v2 >= 2.7.2 patches CVE-2022-24450

This PR updates nats-io/jwt/v2 to v2.2.0 and nats-io/nats-server/v2 to v2.8.4 patches CVE-2021-3127 & CVE-2022-24450.
Issue: #1236

@denopink
Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CV…
bf7670f 
…E-2021-3127

Update nats-io/jwt/v2 dependency to fix CVE-2021-3127

Current version of `https://github.com/nats-io/jwt/v2` (v2.0.3)  and `github.com/nats-io/nats-server/v2` (v2.5.0) are affected by `CVE-2021-3127` in that this project got flagged by security scans.
This PR updates `nats-io/jwt/v2` to `v2.2.0` and `nats-io/nats-server/v2` to `v2.8.4` patching `CVE-2021-3127`.
@denopink denopink changed the title go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450 Jun 27, 2022
TheoBrigitte
TheoBrigitte approved these changes Aug 8, 2022
View reviewed changes
Copy link

@TheoBrigitte TheoBrigitte left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this PR as I got affected by CVE-2022-24450 and CVE-2022-29946.

The updated dependencies from PR solves those issues.

@peterbourgon peterbourgon merged commit 62c81a0 into go-kit:master Aug 8, 2022
@denopink denopink deleted the denopink/fix-nats-io-jwt-cve-2021-3127 branch August 8, 2022 18:24
@PrintlnPan PrintlnPan mentioned this pull request Dec 13, 2022
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@TheoBrigitte TheoBrigitte TheoBrigitte approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@denopink @TheoBrigitte @peterbourgon