Package: golang-github-dgrijalva-jwt-go

Package: golang-github-dgrijalva-jwt-go / 3.2.0-3

Metadata

Package	Version	Patches format
golang-github-dgrijalva-jwt-go	3.2.0-3	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
0001 CVE 2020 26160.patch \| (download)	claims.go \| 45 32 + 13 - 0 ! claims_test.go \| 105 105 + 0 - 0 ! map_claims.go \| 14 12 + 2 - 0 ! map_claims_tests.go \| 46 46 + 0 - 0 ! 4 files changed, 195 insertions(+), 15 deletions(-)	cve-2020-26160 \| jwt-go before 4.0.0-preview1 allows attackers to bypass intended \| access restrictions in situations with []string{} for m["aud"] (which \| is allowed by the specification). Because the type assertion fails, "" \| is the value of aud. This is a security problem if the JWT token is \| presented to a service that lacks its own audience check. https://github.com/dgrijalva/jwt-go/issues/428 https://github.com/dgrijalva/jwt-go/pull/286

Patch

File delta

Description

0001 CVE 2020 26160.patch | (download)

claims.go | 45 32 + 13 - 0 !
claims_test.go | 105 105 + 0 - 0 !
map_claims.go | 14 12 + 2 - 0 !
map_claims_tests.go | 46 46 + 0 - 0 !
4 files changed, 195 insertions(+), 15 deletions(-)

 cve-2020-26160

| jwt-go before 4.0.0-preview1 allows attackers to bypass intended
| access restrictions in situations with []string{} for m["aud"] (which
| is allowed by the specification). Because the type assertion fails, ""
| is the value of aud. This is a security problem if the JWT token is
| presented to a service that lacks its own audience check.

https://github.com/dgrijalva/jwt-go/issues/428
https://github.com/dgrijalva/jwt-go/pull/286