Bug#1086792: marked as done (golang-github-golang-jwt-jwt: CVE-2024-51744)

Sat, 22 Mar 2025 18:09:20 -0700 

Your message dated Sun, 23 Mar 2025 01:07:15 +0000
with message-id <[email protected]>
and subject line Bug#1086792: fixed in golang-github-golang-jwt-jwt 
5.0.0+really4.5.2-1
has caused the Debian Bug report #1086792,
regarding golang-github-golang-jwt-jwt: CVE-2024-51744
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1086792: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086792
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: golang-github-golang-jwt-jwt
Version: 5.0.0+really4.5.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for golang-github-golang-jwt-jwt.

CVE-2024-51744[0]:
| golang-jwt is a Go implementation of JSON Web Tokens. Unclear
| documentation of the error behavior in `ParseWithClaims` can lead to
| situation where users are potentially not checking errors in the way
| they should be. Especially, if a token is both expired and invalid,
| the errors returned by `ParseWithClaims` return both error codes. If
| users only check for the `jwt.ErrTokenExpired ` using `error.Is`,
| they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and
| thus potentially accept invalid tokens. A fix has been back-ported
| with the error handling logic from the `v5` branch to the `v4`
| branch. In this logic, the `ParseWithClaims` function will
| immediately return in "dangerous" situations (e.g., an invalid
| signature), limiting the combined errors only to situations where
| the signature is valid, but further validation failed (e.g., if the
| signature is valid, but is expired AND has the wrong audience). This
| fix is part of the 4.5.1 release. We are aware that this changes the
| behaviour of an established function and is not 100 % backwards
| compatible, so updating to 4.5.1 might break your code. In case you
| cannot update to 4.5.0, please make sure that you are properly
| checking for all errors ("dangerous" ones first), so that you are
| not running in the case detailed above.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-51744
    https://www.cve.org/CVERecord?id=CVE-2024-51744
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2323735
[2] 
https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: golang-github-golang-jwt-jwt
Source-Version: 5.0.0+really4.5.2-1
Done: Mathias Gibbens <[email protected]>

We believe that the bug you reported is fixed in the latest version of
golang-github-golang-jwt-jwt, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathias Gibbens <[email protected]> (supplier of updated 
golang-github-golang-jwt-jwt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 22 Mar 2025 19:58:06 +0000
Source: golang-github-golang-jwt-jwt
Architecture: source
Version: 5.0.0+really4.5.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Mathias Gibbens <[email protected]>
Closes: 1086792
Changes:
 golang-github-golang-jwt-jwt (5.0.0+really4.5.2-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream release (Closes: #1086792)
     - Fixes CVE-2024-51744, CVE-2025-30204
   * Update Standards-Version to 4.7.2 in d/control (no changes needed)
   * Update d/watch to track 4.x series releases
Checksums-Sha1:
 f9f29ee82a4894bcd36c55773230c45d8163ddd6 2386 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2-1.dsc
 c7db34dbde3e7c4b02a41d9c9189cea2a3ba9a64 54022 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2.orig.tar.gz
 42569910531b9f4af998256e8e284e20cb2c5b7f 3036 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2-1.debian.tar.xz
 5752a5dbe46adfc94508599fc3e94106fbbf16a5 6592 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2-1_amd64.buildinfo
Checksums-Sha256:
 19b5b325099bf418deb271b5b5ff29a23b97c28b84226604bbb077bc5cd5f4d9 2386 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2-1.dsc
 46d15f42fbea5dc48e848f2b69d37c27ec533043b6173baea773c3cbce9d7b85 54022 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2.orig.tar.gz
 41974929cf4f65d4ab77d93be41240c05e23b19c02f81ff1c60fd4f24295089d 3036 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2-1.debian.tar.xz
 a61c9ed216d465468d901661ea5b6c45a14c11f194e49d7c406a3d7e5cefd2ba 6592 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2-1_amd64.buildinfo
Files:
 bdb70bb31788fd90ec41c247fa966352 2386 golang optional 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2-1.dsc
 fd331afac56a14a90539890dcd46f973 54022 golang optional 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2.orig.tar.gz
 b6bb9c4311bf248b129a497aa2e1357d 3036 golang optional 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2-1.debian.tar.xz
 32d0b48fb40e59fcd5e8b733a96be8ff 6592 golang optional 
golang-github-golang-jwt-jwt_5.0.0+really4.5.2-1_amd64.buildinfo


-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEE1Bp60H32xfynSJ8cKe7i1uz0QvkFAmffWi0SHGdpYm1hdEBk
ZWJpYW4ub3JnAAoJECnu4tbs9EL5hqIP/j1u7XR9duimhLDTm0qJ81WMVwCG5e9k
DotmY/xnlPSFjfzi3dHpRPfdWjoSDqz1bJdodLGo9z5evFKXFFqlZ1puC3bys8I7
oQFDB4l38MYEGkwznc+269/BwvNr5LnsIVpZKK9lL+AQJauT3RRSA11fiVEWU/pd
2xYaaEUaLOAa+8vhgOEniauD0q6sjZHuR0e1vHXIpyiZSfCDLQvhdhxQArDLcJiR
rDmQZ77U1uaDC4dquEldqZYL0WxmAHf7es45pEn0EQeNobuh8ScXaa+3QupgZFW4
MQ3YUNLRClcTruZa1uhhB/DDkfQsut0v+NNFuZp1EJCah+R5yaU4f+nN++gOpG7B
BO/VMbeL672U2Ja9dMX6dMq+t8PkBcXYs7yQYp9UdZWfpMf67FEr74af6D0PvSPv
Ylr/nQH3d4OPhudrXpdnWAudygQNC/+7KMFnpq9ant/yCcKfBZaeBuATCJIzsiUq
XL4qTkyCJx0jE5YWxoCLkVAGbEE+1TGl/AZlfnRn3vXgwwoGlgvdMQeWiMThOswZ
/Q3AKBg5mHOJobsQDbUJxXBICqgiRZ/X/qf5sPAAN7Q2sWUmFSOx2QIe9wj6hCT+
xRlNYQIhUU8xnOubgcgMd/Vuya0QoSSL7RDOj0z2xRWZJrkAKvixVCQ69v/f6fzc
7odEWK9YRawB
=gnuv
-----END PGP SIGNATURE-----

Attachment: pgpB95QuzVGXF.pgp
Description: PGP signature


--- End Message ---

Reply via email to