hongbinhsu opened a new pull request #2304: URL: https://github.com/apache/apisix-dashboard/pull/2304
Fixed type confusion issue between string and []string in VerifyAudience. [CVE-2020-26160](https://github.com/advisories/GHSA-w73w-5m7g-f7qc) Authorization bypass in github.com/dgrijalva/jwt-go This fixes https://github.com/advisories/GHSA-w73w-5m7g-f7qc Please answer these questions before submitting a pull request, **or your PR will get closed**. **Why submit this pull request?** 原jwt pkg已有两年未更新,最新的仓库已切换到了新的地址,并且原pkg存在 [CVE-2020-26160] 安全问题,需要升级到3.2.1及以上版本,未了保持兼容性,切换新pkg包并升级至3.2.2 **What changes will this PR take into?** 切换新的jwt pkg包地址,解决了 [CVE-2020-26160] 安全问题,为未来使用jwt pkg v4包做好准备 **Related issues** fix #2303 **Checklist:** 1、update dgrijalva/jwt-go 3.2 to golang-jwt/jwt 3.2.2 2、go mod tidy 自动升级了包 3、调用/apisix/admin/user/login 生成 token 正常 4、使用上一步生成的token请求其他需要登陆接口正常 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
