zzzming opened a new pull request #713: URL: https://github.com/apache/pulsar-client-go/pull/713
Fixes #675 https://github.com/apache/pulsar-client-go/issues/675 ### Motivation The original CVE CVE-2020-26160 high severity Vulnerable versions: <= 3.2.0 Patched version: No fix jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1 ### Modifications `oauth2` go mod uses github.com/form3tech-oss/jwt-go, which is a fork from dgrijalva/jwt-go that is in read-only. The modification is switch to golang-jwt. ### Does this pull request potentially affect one of the following parts: *If `yes` was chosen, please highlight the changes* - Dependencies (does it add or upgrade a dependency): (yes) - The public API: (no) - The schema: ( no ) - The default values of configurations: ( no) - The wire protocol: (no) Switch to golang-jwt as the CVE suggests. ### Documentation - Does this pull request introduce a new feature? (no) - If yes, how is the feature documented? (not applicable) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
