Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace github.com/dgrijalva/jwt-go with github.com/golang-jwt/jwt #8939

Merged
merged 5 commits into from
Nov 13, 2021
Merged

Replace github.com/dgrijalva/jwt-go with github.com/golang-jwt/jwt #8939

merged 5 commits into from
Nov 13, 2021

Conversation

nklaassen
Copy link
Contributor

Teleport currently depends on github.com/dgrijalva/jwt-go@v3.2.0 which is vulnerable to CVE-2020-26160. We do not use this library directly (it is pulled in through our dependency on github.com/duo-labs/webauthn/protocol), but this triggers a "high severity" dependabot security alert in the Teleport Github repo.

The recommended fix is to switch to the community-maintained clone github.com/golang-jwt/jwt. github.com/dgrijalva/jwt-go is no longer maintained and the clone is meant to be compatible while taking new fixes. There is an issue in duo-labs/webauthn duo-labs/webauthn#86 to make this change, but it has been open since May 20 with no response from the maintainers.

This PR uses a replace directive in our go.mod to replace github.com/dgrijalva/jwt-go v3.2.0 with github.com/golang-jwt/jwt v3.2.1 which has the fix for the CVE.

@nklaassen nklaassen marked this pull request as ready for review November 11, 2021 01:22
russjones
russjones approved these changes Nov 11, 2021
View reviewed changes
Copy link
Contributor

@russjones russjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bot.

codingllama
codingllama approved these changes Nov 12, 2021
View reviewed changes
Copy link
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.

@nklaassen nklaassen enabled auto-merge (squash) November 12, 2021 17:25
@nklaassen nklaassen merged commit 3798ca8 into master Nov 13, 2021
@nklaassen nklaassen deleted the nklaassen/jwt-go-update branch November 13, 2021 00:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r0mant r0mant r0mant approved these changes

@tcsc tcsc tcsc approved these changes

@russjones russjones russjones approved these changes

@codingllama codingllama codingllama approved these changes

@smallinsky smallinsky Awaiting requested review from smallinsky

@klizhentas klizhentas Awaiting requested review from klizhentas

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nklaassen @r0mant @tcsc @russjones @codingllama