Skip to content

Comments

go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450#1237

Merged
peterbourgon merged 1 commit intogo-kit:masterfrom
denopink:denopink/fix-nats-io-jwt-cve-2021-3127
Aug 8, 2022
Merged

go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450#1237
peterbourgon merged 1 commit intogo-kit:masterfrom
denopink:denopink/fix-nats-io-jwt-cve-2021-3127

Conversation

@denopink
Copy link
Contributor

@denopink denopink commented Jun 27, 2022
edited
Loading

Current version of https://github.com/nats-io/jwt/v2 (v2.0.3) and github.com/nats-io/nats-server/v2 (v2.5.0) are affected by CVE-2021-3127 & CVE-2022-24450 in that this project got flagged by security scans. Both of these libs at their current version require nats-io/jwt v1.2.2 or nats-io/jwt/v2 v2.0.3 (which itself requires nats-io/jwt v1.2.2) and are both affected by CVE-2021-3127. nats-io/nats-server/v2 >= 2.7.2 patches CVE-2022-24450

This PR updates nats-io/jwt/v2 to v2.2.0 and nats-io/nats-server/v2 to v2.8.4 patches CVE-2021-3127 & CVE-2022-24450.
Issue: #1236

@denopink
Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CV…
bf7670f 
…E-2021-3127

Update nats-io/jwt/v2 dependency to fix CVE-2021-3127

Current version of `https://github.com/nats-io/jwt/v2` (v2.0.3)  and `github.com/nats-io/nats-server/v2` (v2.5.0) are affected by `CVE-2021-3127` in that this project got flagged by security scans.
This PR updates `nats-io/jwt/v2` to `v2.2.0` and `nats-io/nats-server/v2` to `v2.8.4` patching `CVE-2021-3127`.
@denopink denopink changed the title go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450 Jun 27, 2022
TheoBrigitte
TheoBrigitte approved these changes Aug 8, 2022
View reviewed changes
Copy link

@TheoBrigitte TheoBrigitte left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this PR as I got affected by CVE-2022-24450 and CVE-2022-29946.

The updated dependencies from PR solves those issues.

@peterbourgon peterbourgon merged commit 62c81a0 into go-kit:master Aug 8, 2022
@denopink denopink deleted the denopink/fix-nats-io-jwt-cve-2021-3127 branch August 8, 2022 18:24
@PrintlnPan PrintlnPan mentioned this pull request Dec 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@TheoBrigitte TheoBrigitte TheoBrigitte approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@denopink @TheoBrigitte @peterbourgon