This repository has been archived by the owner on Dec 5, 2022. It is now read-only.
Update jwt-go library to fix CVE-2020-26160 #86
Comments
Closed
|
Created a PR with a Fix #101 |
|
+1, would love to see a switch to |
unrealperson666
referenced
this issue
Dec 4, 2021
* Moved COSE related things to their own package * move assertion to cose verify * Server-ServerPublicKeyCredentialCreationOptions-Req-1 * Update login.go * Fix packed attestation signature verification and added ServerResponse structure * Conformance testing fixes for MakeCredential * Conformance tests nearly complete * Initial metadata layout * Metadata progress * Further progress on metadata * Resolving conflict * Production and conformance metadata now load * Move SafetyNet to jwt-go and add sanity check for timestamp * Certificate checks on metadata TOC * Restrict timestamp check in safetynet to conformance only * Don't return safetynet x5c * Metadata (#1) * Moved COSE related things to their own package * move assertion to cose verify * Server-ServerPublicKeyCredentialCreationOptions-Req-1 * Update login.go * Fix packed attestation signature verification and added ServerResponse structure * Conformance testing fixes for MakeCredential * Conformance tests nearly complete * Initial metadata layout * Metadata progress * Further progress on metadata * Resolving conflict * Production and conformance metadata now load * Move SafetyNet to jwt-go and add sanity check for timestamp * Certificate checks on metadata TOC * Restrict timestamp check in safetynet to conformance only * Don't return safetynet x5c * SafetyNet timestamp check * Added metadata tests * Update metadata tests
|
PR merged |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The dependency "github.com/dgrijalva/jwt-go" has a vulnerability, CVE-2020-26160. It would be good to update to the latest version (v4) of the library to fix it.
Related: dgrijalva/jwt-go#463
The text was updated successfully, but these errors were encountered: