Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update module github.com/go-jose/go-jose/v3 to v4 #10

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/go-jose/go-jose/v3 to v4 #10

wants to merge 1 commit into from

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented Feb 25, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-jose/go-jose/v3 v3.0.0 -> v4.0.5 age adoption passing confidence

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score CVE Reachability
High High 7.5 CVE-2025-27144
Medium Medium 6.5 WS-2023-0431
Medium Medium 4.3 CVE-2024-28180

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v4.0.5

Compare Source

What's Changed

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

Full Changelog: go-jose/go-jose@v4.0.4...v4.0.5

v4.0.4

Compare Source

Fixed

  • Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a
    breaking change. See #​136 / #​137.

v4.0.3

Compare Source

Changed

  • Allow unmarshalling JSONWebKeySets with unsupported key types (#​130)
  • Document that OpaqueKeyEncrypter can't be implemented (for now) (#​129)
  • Dependency updates

v4.0.2

Compare Source

Changed

  • Improved documentation of Verify() to note that JSONWebKeySet is a supported
    argument type (#​104)
  • Defined exported error values for missing x5c header and unsupported elliptic
    curves error cases (#​117)

v4.0.1

Compare Source

Fixed

  • An attacker could send a JWE containing compressed data that used large
    amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
    Those functions now return an error if the decompressed data would exceed
    250kB or 10x the compressed size (whichever is larger). Thanks to
    Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj)
    for reporting.

v4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly
address the vulnerabilities discussed in Three New Attacks Against JSON Web
Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
token".

Changed

  • Limit JWT encryption types (exclude password or public key types) (#​78)
  • Enforce minimum length for HMAC keys (#​85)
  • jwt: match any audience in a list, rather than requiring all audiences (#​81)
  • jwt: accept only Compact Serialization (#​75)
  • jws: Add expected algorithms for signatures (#​74)
  • Require specifying expected algorithms for ParseEncrypted,
    ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
    jwt.ParseSignedAndEncrypted (#​69, #​74)
    • Usually there is a small, known set of appropriate algorithms for a program
      to use and it's a mistake to allow unexpected algorithms. For instance the
      "billion hash attack" relies in part on programs accepting the PBES2
      encryption algorithm and doing the necessary work even if they weren't
      specifically configured to allow PBES2.
  • Revert "Strip padding off base64 strings" (#​82)
  • The specs require base64url encoding without padding.
  • Minimum supported Go version is now 1.21

Added

  • ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
    • These allow parsing a specific serialization, as opposed to ParseSigned and
      ParseEncrypted, which try to automatically detect which serialization was
      provided. It's common to require a specific serialization for a specific
      protocol - for instance JWT requires Compact serialization.

v3.0.4

Compare Source

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144
https://github.com/go-jose/go-jose/pull/174

Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4

v3.0.3: Version 3.0.3

Compare Source

Fixed
  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

v3.0.2

Compare Source

Fixed

  • DecryptMulti: handle decompression error (#​19)

Changed

  • jwe/CompactSerialize: improve performance (#​67)
  • Increase the default number of PBKDF2 iterations to 600k (#​48)
  • Return the proper algorithm for ECDSA keys (#​45)

Added

  • Add Thumbprint support for opaque signers (#​38)

v3.0.1

Compare Source

Fixed

  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Feb 25, 2025
@mend-for-github-com Mend for GitHub.com
Copy link
Author

ℹ Artifact update notice

File name: test-integ/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 8 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.20 -> 1.24.0
github.com/google/go-cmp v0.5.9 -> v0.6.0
github.com/stretchr/testify v1.8.4 -> v1.10.0
golang.org/x/net v0.19.0 -> v0.25.0
golang.org/x/crypto v0.17.0 -> v0.32.0
golang.org/x/mod v0.12.0 -> v0.17.0
golang.org/x/sys v0.15.0 -> v0.29.0
golang.org/x/text v0.14.0 -> v0.21.0
golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 -> v0.21.1-0.20240508182429-e35e4ccd0d2d
File name: test/integration/consul-container/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 10 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.20 -> 1.24.0
github.com/stretchr/testify v1.8.4 -> v1.10.0
golang.org/x/mod v0.12.0 -> v0.17.0
github.com/google/go-cmp v0.5.9 -> v0.6.0
github.com/stretchr/objx v0.5.0 -> v0.5.2
golang.org/x/crypto v0.17.0 -> v0.32.0
golang.org/x/net v0.19.0 -> v0.25.0
golang.org/x/sync v0.3.0 -> v0.10.0
golang.org/x/sys v0.15.0 -> v0.29.0
golang.org/x/text v0.14.0 -> v0.21.0
golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 -> v0.21.1-0.20240508182429-e35e4ccd0d2d

@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/github.com-go-jose-go-jose-v3-4.x branch from b5740f2 to 984deea Compare February 27, 2025 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants