Your message dated Thu, 26 Nov 2020 15:33:37 +0000
with message-id <e1kijh7-000brz...@fasolo.debian.org>
and subject line Bug#971556: fixed in golang-github-dgrijalva-jwt-go 3.2.0-3
has caused the Debian Bug report #971556,
regarding golang-github-dgrijalva-jwt-go: CVE-2020-26160
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
971556: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971556
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-github-dgrijalva-jwt-go
Version: 3.2.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for golang-github-dgrijalva-jwt-go.
CVE-2020-26160[0]:
| jwt-go before 4.0.0-preview1 allows attackers to bypass intended
| access restrictions in situations with []string{} for m["aud"] (which
| is allowed by the specification). Because the type assertion fails, ""
| is the value of aud. This is a security problem if the JWT token is
| presented to a service that lacks its own audience check.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-26160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
[1] https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-dgrijalva-jwt-go
Source-Version: 3.2.0-3
Done: Shengjing Zhu <z...@debian.org>
We believe that the bug you reported is fixed in the latest version of
golang-github-dgrijalva-jwt-go, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 971...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Shengjing Zhu <z...@debian.org> (supplier of updated
golang-github-dgrijalva-jwt-go package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 26 Nov 2020 23:04:18 +0800
Source: golang-github-dgrijalva-jwt-go
Architecture: source
Version: 3.2.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Shengjing Zhu <z...@debian.org>
Closes: 971556
Changes:
golang-github-dgrijalva-jwt-go (3.2.0-3) unstable; urgency=medium
.
* Team upload.
.
[ Debian Janitor ]
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
* Apply multi-arch hints.
golang-github-dgrijalva-jwt-go-dev: Add Multi-Arch: foreign.
.
[ Shengjing Zhu ]
* Update uscan watch file version to 4
* Add patch to address CVE-2020-26160 (Closes: #971556)
This based on https://github.com/dgrijalva/jwt-go/pull/286
* Update maintainer address to team+pkg...@tracker.debian.org
* Add Rules-Requires-Root
* Remove shlibs:Depends
* Bump debhelper-compat to 13
* Bump Standards-Version to 4.5.1 (no changes)
* Change Section to golang
Checksums-Sha1:
1cbf56cae7c91ff87b22ba5158a9f0e9d53085a1 1717
golang-github-dgrijalva-jwt-go_3.2.0-3.dsc
189e8f79a20dc45e6b1ae2a4d75149de71c6d619 5584
golang-github-dgrijalva-jwt-go_3.2.0-3.debian.tar.xz
a472b9caf507b573ec8f30a30c160f8414a9d9aa 5562
golang-github-dgrijalva-jwt-go_3.2.0-3_amd64.buildinfo
Checksums-Sha256:
44a82a9f01d6993df5554d8528584d9ca3f7e8c772c641f8431abca45c79a650 1717
golang-github-dgrijalva-jwt-go_3.2.0-3.dsc
1bf4422c19d5bc69850cbe7758467ade1e5e64cb74d9ba441ce9641f8f52f9d7 5584
golang-github-dgrijalva-jwt-go_3.2.0-3.debian.tar.xz
38bb1eb7b2f5a7adf583a571d04dd5dbd672fd73f35510bf879a32d7d0898d68 5562
golang-github-dgrijalva-jwt-go_3.2.0-3_amd64.buildinfo
Files:
60174557ab9c166c07b5d26351fd5ff5 1717 golang optional
golang-github-dgrijalva-jwt-go_3.2.0-3.dsc
2d2d05df55676ff3f7b7a193ec637512 5584 golang optional
golang-github-dgrijalva-jwt-go_3.2.0-3.debian.tar.xz
7ea9e4574269bd90fd8359af3e3e2ce0 5562 golang optional
golang-github-dgrijalva-jwt-go_3.2.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIYEARYIAC4WIQTiXc95jUQrjt9HgU3EhUo4GOCwFgUCX7/GqxAcemhzakBkZWJp
YW4ub3JnAAoJEMSFSjgY4LAWQJkA/0SrG0mhMn8CLnSzGrrLU03RQ7K0z7B/5M7z
cwVVm5B5AP4i9VrYV3tuf+PlJSZdsnPEqDGDZNV4uVrwqwJEvSPjDQ==
=roBS
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-go-maintainers mailing list
Pkg-go-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-go-maintainers
