Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450 #1237

Merged
merged 1 commit into from
Aug 8, 2022
Merged

go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450 #1237

merged 1 commit into from
Aug 8, 2022

Conversation

denopink
Copy link
Contributor

@denopink denopink commented Jun 27, 2022
edited
Loading

Current version of https://github.com/nats-io/jwt/v2 (v2.0.3) and github.com/nats-io/nats-server/v2 (v2.5.0) are affected by CVE-2021-3127 & CVE-2022-24450 in that this project got flagged by security scans. Both of these libs at their current version require nats-io/jwt v1.2.2 or nats-io/jwt/v2 v2.0.3 (which itself requires nats-io/jwt v1.2.2) and are both affected by CVE-2021-3127. nats-io/nats-server/v2 >= 2.7.2 patches CVE-2022-24450

This PR updates nats-io/jwt/v2 to v2.2.0 and nats-io/nats-server/v2 to v2.8.4 patches CVE-2021-3127 & CVE-2022-24450.
Issue: #1236

@denopink
Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CV…
bf7670f 
…E-2021-3127

Update nats-io/jwt/v2 dependency to fix CVE-2021-3127

Current version of `https://github.com/nats-io/jwt/v2` (v2.0.3)  and `github.com/nats-io/nats-server/v2` (v2.5.0) are affected by `CVE-2021-3127` in that this project got flagged by security scans.
This PR updates `nats-io/jwt/v2` to `v2.2.0` and `nats-io/nats-server/v2` to `v2.8.4` patching `CVE-2021-3127`.
@denopink denopink changed the title go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 go.mod | go.sum: Update nats-io/jwt/v2 & nats-io/nats-server/v2 dependencies to fix CVE-2021-3127 & CVE-2022-24450 Jun 27, 2022
TheoBrigitte
TheoBrigitte approved these changes Aug 8, 2022
View reviewed changes
Copy link

@TheoBrigitte TheoBrigitte left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this PR as I got affected by CVE-2022-24450 and CVE-2022-29946.

The updated dependencies from PR solves those issues.

@peterbourgon peterbourgon merged commit 62c81a0 into go-kit:master Aug 8, 2022
@denopink denopink deleted the denopink/fix-nats-io-jwt-cve-2021-3127 branch August 8, 2022 18:24
@PrintlnPan PrintlnPan mentioned this pull request Dec 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheoBrigitte TheoBrigitte TheoBrigitte approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@denopink @TheoBrigitte @peterbourgon