Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450 #1237

Merged

Conversation

denopink
Copy link
Contributor

@denopink denopink commented Jun 27, 2022

Current version of https://github.com/nats-io/jwt/v2 (v2.0.3) and github.com/nats-io/nats-server/v2 (v2.5.0) are affected by CVE-2021-3127 & CVE-2022-24450 in that this project got flagged by security scans. Both of these libs at their current version require nats-io/jwt v1.2.2 or nats-io/jwt/v2 v2.0.3 (which itself requires nats-io/jwt v1.2.2) and are both affected by CVE-2021-3127. nats-io/nats-server/v2 >= 2.7.2 patches CVE-2022-24450

This PR updates nats-io/jwt/v2 to v2.2.0 and nats-io/nats-server/v2 to v2.8.4 patches CVE-2021-3127 & CVE-2022-24450.
Issue: #1236

…E-2021-3127

Update nats-io/jwt/v2 dependency to fix CVE-2021-3127

Current version of `https://github.com/nats-io/jwt/v2` (v2.0.3)  and `github.com/nats-io/nats-server/v2` (v2.5.0) are affected by `CVE-2021-3127` in that this project got flagged by security scans.
This PR updates `nats-io/jwt/v2` to `v2.2.0` and `nats-io/nats-server/v2` to `v2.8.4` patching `CVE-2021-3127`.
@denopink denopink changed the title go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450 Jun 27, 2022
Copy link

@TheoBrigitte TheoBrigitte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this PR as I got affected by CVE-2022-24450 and CVE-2022-29946.

The updated dependencies from PR solves those issues.

@peterbourgon peterbourgon merged commit 62c81a0 into go-kit:master Aug 8, 2022
@denopink denopink deleted the denopink/fix-nats-io-jwt-cve-2021-3127 branch August 8, 2022 18:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants