This is an automated email from the ASF dual-hosted git repository.
zrhoffman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 3d933d01e5 Bump github.com/lestrrat-go/jwx from 1.2.27 to 1.2.28
(#7928)
3d933d01e5 is described below
commit 3d933d01e5bf0c78c9025f141e8cc1bdd0b964d6
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: Wed Jan 24 22:04:00 2024 -0700
Bump github.com/lestrrat-go/jwx from 1.2.27 to 1.2.28 (#7928)
Bumps [github.com/lestrrat-go/jwx](https://github.com/lestrrat-go/jwx) from
1.2.27 to 1.2.28.
- [Release notes](https://github.com/lestrrat-go/jwx/releases)
- [Changelog](https://github.com/lestrrat-go/jwx/blob/v1.2.28/Changes)
- [Commits](https://github.com/lestrrat-go/jwx/compare/v1.2.27...v1.2.28)
---
updated-dependencies:
- dependency-name: github.com/lestrrat-go/jwx
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot]
<49699333+dependabot[bot]@users.noreply.github.com>
---
go.mod | 4 ++--
go.sum | 8 ++++----
vendor/github.com/lestrrat-go/jwx/Changes | 13 ++++++++++++-
vendor/github.com/lestrrat-go/jwx/jws/message.go | 20 ++++++++++++++++----
vendor/modules.txt | 4 ++--
5 files changed, 36 insertions(+), 13 deletions(-)
diff --git a/go.mod b/go.mod
index c15dfde074..72e2e00cdf 100644
--- a/go.mod
+++ b/go.mod
@@ -40,7 +40,7 @@ require (
github.com/json-iterator/go v1.1.12
github.com/kelseyhightower/envconfig v1.4.0
github.com/kylelemons/godebug v1.1.1-0.20201107061927-e693023230a4
- github.com/lestrrat-go/jwx v1.2.27
+ github.com/lestrrat-go/jwx v1.2.28
github.com/lib/pq v1.10.4
github.com/miekg/dns v1.1.43
github.com/onsi/ginkgo v1.16.5
@@ -48,7 +48,7 @@ require (
github.com/pborman/getopt/v2 v2.1.0
github.com/pkg/errors v0.9.1
go.etcd.io/bbolt v1.3.6
- golang.org/x/crypto v0.16.0
+ golang.org/x/crypto v0.17.0
golang.org/x/net v0.10.0
golang.org/x/sys v0.15.0
gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0
diff --git a/go.sum b/go.sum
index e4e316b934..ec615d0747 100644
--- a/go.sum
+++ b/go.sum
@@ -944,8 +944,8 @@ github.com/lestrrat-go/httpcc v1.0.1
h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZ
github.com/lestrrat-go/httpcc v1.0.1/go.mod
h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
github.com/lestrrat-go/iter v1.0.2
h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
github.com/lestrrat-go/iter v1.0.2/go.mod
h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
-github.com/lestrrat-go/jwx v1.2.27
h1:cvnTnda/YzdyFuWdEAMkI6BsLtItSrASEVCI3C/IUEQ=
-github.com/lestrrat-go/jwx v1.2.27/go.mod
h1:Stob9LjSqR3lOmNdxF0/TvZo60V3hUGv8Fr7Bwzla3k=
+github.com/lestrrat-go/jwx v1.2.28
h1:uadI6o0WpOVrBSf498tRXZIwPpEtLnR9CvqPFXeI5sA=
+github.com/lestrrat-go/jwx v1.2.28/go.mod
h1:nF+91HEMh/MYFVwKPl5HHsBGMPscqbQb+8IDQdIazP8=
github.com/lestrrat-go/option v1.0.0/go.mod
h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
github.com/lestrrat-go/option v1.0.1
h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
github.com/lestrrat-go/option v1.0.1/go.mod
h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
@@ -1429,8 +1429,8 @@ golang.org/x/crypto
v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWP
golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod
h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod
h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod
h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
-golang.org/x/crypto v0.16.0/go.mod
h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod
h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod
h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
diff --git a/vendor/github.com/lestrrat-go/jwx/Changes
b/vendor/github.com/lestrrat-go/jwx/Changes
index b5ad318258..897ab3c66a 100644
--- a/vendor/github.com/lestrrat-go/jwx/Changes
+++ b/vendor/github.com/lestrrat-go/jwx/Changes
@@ -1,6 +1,17 @@
Changes
=======
+v1.2.28 09 Jan 2024
+[Security Fixes]
+ * [jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
+ consists of three base64 strings concatenated with a '.') with missing
"protected"
+ headers could cause a panic, thereby introducing a possiblity of a DoS.
+
+ This has been fixed so that the `jws.Parse` function succeeds in parsing a
JWS message
+ lacking a protected header. Calling `jws.Verify` on this same JWS message
will result
+ in a failed verification attempt. Note that this behavior will differ
slightly when
+ parsing JWS messages in compact form, which result in an error.
+
v1.2.27 - 03 Dec 2023
[Security]
* [jwe] A large number in p2c parameter for PBKDF2 based encryptions could
cause a DoS attack,
@@ -247,7 +258,7 @@ v1.2.6 24 Aug 2021
* Support `crypto.Signer` keys for RSA, ECDSA, and EdDSA family
of signatures in `jws.Sign`
[Miscellaneous]
- * `jwx.GuessFormat()` now requires the presense of both `payload` and
+ * `jwx.GuessFormat()` now requires the presence of both `payload` and
`signatures` keys for it to guess that a JSON object is a JWS message.
* Slightly enhance `jwt.Parse()` performance.
diff --git a/vendor/github.com/lestrrat-go/jwx/jws/message.go
b/vendor/github.com/lestrrat-go/jwx/jws/message.go
index 802b29771b..13df17d72a 100644
--- a/vendor/github.com/lestrrat-go/jwx/jws/message.go
+++ b/vendor/github.com/lestrrat-go/jwx/jws/message.go
@@ -91,11 +91,13 @@ func (s *Signature) UnmarshalJSON(data []byte) error {
s.protected = prt
}
- decoded, err := base64.DecodeString(*sup.Signature)
- if err != nil {
- return errors.Wrap(err, `failed to base decode signature`)
+ if sup.Signature != nil {
+ decoded, err := base64.DecodeString(*sup.Signature)
+ if err != nil {
+ return errors.Wrap(err, `failed to base decode
signature`)
+ }
+ s.signature = decoded
}
- s.signature = decoded
return nil
}
@@ -282,6 +284,11 @@ func (m *Message) UnmarshalJSON(buf []byte) error {
}
sig.SetDecodeCtx(nil)
+ if sig.protected == nil {
+ // Instead of barfing on a nil protected
header, use an empty header
+ sig.protected = NewHeaders()
+ }
+
if i == 0 {
if !getB64Value(sig.protected) {
b64 = false
@@ -317,6 +324,11 @@ func (m *Message) UnmarshalJSON(buf []byte) error {
sig.protected = prt
}
+ if sig.protected == nil {
+ // Instead of barfing on a nil protected header, use an
empty header
+ sig.protected = NewHeaders()
+ }
+
decoded, err := base64.DecodeString(*mup.Signature)
if err != nil {
return errors.Wrap(err, `failed to base64 decode
flattened signature`)
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 86ee9c4119..51e00c9e34 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -178,7 +178,7 @@ github.com/lestrrat-go/httpcc
## explicit; go 1.13
github.com/lestrrat-go/iter/arrayiter
github.com/lestrrat-go/iter/mapiter
-# github.com/lestrrat-go/jwx v1.2.27
+# github.com/lestrrat-go/jwx v1.2.28
## explicit; go 1.15
github.com/lestrrat-go/jwx
github.com/lestrrat-go/jwx/internal/base64
@@ -276,7 +276,7 @@ go.etcd.io/bbolt
# go.uber.org/atomic v1.6.0
## explicit; go 1.13
go.uber.org/atomic
-# golang.org/x/crypto v0.16.0
+# golang.org/x/crypto v0.17.0
## explicit; go 1.18
golang.org/x/crypto/curve25519
golang.org/x/crypto/curve25519/internal/field
