Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-26160 vulnerability fix #1126

Closed
cheipol opened this issue Apr 27, 2021 · 2 comments
Closed

CVE-2020-26160 vulnerability fix #1126

cheipol opened this issue Apr 27, 2021 · 2 comments
Labels
resolution/invalid This doesn't seem right

Comments

@cheipol
Copy link

cheipol commented Apr 27, 2021

Is your feature request related to a problem? Please describe.
Viper has dgrijalva/jwt-go (actually v 3.2.0) as a dependency. This library has a known vulnerability CVE-2020-26160.
dgrijalva/jwt-go seem to have a fix for this issue in version release-4.0.0 but it's been abandoned since January 2020.

Describe the solution you'd like to see
There are some other solutions implemented.
Have you considered using one of them?
@cheipol cheipol added the kind/enhancement New feature or request label Apr 27, 2021
@cheipol cheipol changed the title CVE-2020-26160 vulnerability CVE-2020-26160 vulnerability fix Apr 27, 2021
@github-actions
Copy link

👋 Thanks for reporting!

A maintainer will take a look at your issue shortly. 👀

In the meantime: We are working on Viper v2 and we would love to hear your thoughts about what you like or don't like about Viper, so we can improve or fix those issues.

⏰ If you have a couple minutes, please take some time and share your thoughts: https://forms.gle/R6faU74qPRPAzchZ9

📣 If you've already given us your feedback, you can still help by spreading the news,
either by sharing the above link or telling people about this on Twitter:

https://twitter.com/sagikazarmark/status/1306904078967074816

Thank you! ❤️

@sagikazarmark
Copy link
Collaborator

Hi!

jwt-go is not a dependency of this package. It's a transitive dependency of a package (etcd to be precise) that is not compiled into the final library.

The situation will be somewhat better once #1115 can be merged.

@sagikazarmark sagikazarmark added resolution/invalid This doesn't seem right and removed kind/enhancement New feature or request labels Apr 27, 2021
@Nivl Nivl mentioned this issue May 2, 2021
Merged
@PushkarJ PushkarJ mentioned this issue May 27, 2021
Closed
@hoppea2 hoppea2 mentioned this issue Jul 27, 2021
Merged
1 task
rogercoll added a commit to newrelic/infrastructure-publish-action that referenced this issue Dec 29, 2021
@rogercoll
chore: upgrade spf13/viper to 1.10.1
da4b6b8 
- Old versions require vulnerable package
github.com/miekg/dns < 1.1.25

- jwt-go can be removed as it is no longer a direct/indirecte
dependency: spf13/viper#1126
@rogercoll rogercoll mentioned this issue Dec 29, 2021
Merged
@timdrysdale timdrysdale mentioned this issue Feb 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
resolution/invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sagikazarmark @cheipol