Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.5] Bump golang-jwt/jwt to 4.5.1 to address GO-2024-3250 #18898

Closed
4 tasks
ahrtr opened this issue Nov 15, 2024 · 3 comments · Fixed by #18901
Closed
4 tasks

[3.5] Bump golang-jwt/jwt to 4.5.1 to address GO-2024-3250 #18898

ahrtr opened this issue Nov 15, 2024 · 3 comments · Fixed by #18901

Comments

@ahrtr
Copy link
Member

ahrtr commented Nov 15, 2024

Bug report criteria

What happened?

Vulnerability #1: GO-2024-3250
    Improper error handling in ParseWithClaims and bad documentation may cause
    dangerous situations in github.com/golang-jwt/jwt
  More info: https://pkg.go.dev/vuln/GO-2024-3250
  Module: github.com/golang-jwt/jwt/v4
    Found in: github.com/golang-jwt/jwt/[email protected]
    Fixed in: github.com/golang-jwt/jwt/[email protected]
    Example traces found:
Error:       #1: auth/jwt.go:48:26: auth.tokenJWT.info calls jwt.Parse

What did you expect to happen?

No CVE failures

How can we reproduce it (as minimally and precisely as possible)?

Refer to https://github.com/etcd-io/etcd/actions/runs/11851990849/job/33029399184?pr=18829

Anything else we need to know?

No response

Etcd version (please run commands below)

$ etcd --version
# paste output here

$ etcdctl version
# paste output here

Etcd configuration (command line flags or environment variables)

paste your configuration here

Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)

$ etcdctl member list -w table
# paste output here

$ etcdctl --endpoints=<member list> endpoint status -w table
# paste output here

Relevant log output

No response

@ivanvc
Copy link
Member

ivanvc commented Nov 15, 2024

Release 3.4 is not affected because it uses github.com/golang-jwt/jwt v3 (3.2.1), not v4. The GO-2024-3250 is reported only for v4. Running govulncheck in the release-3.4 branch doesn't raise any issues.

#18899 addresses 3.5, so we should be able to close this issue. Thanks, @ahrtr and @tjungblu for quickly reporting and addressing it 🎉 🙇

/retitle [3.5] Bump golang-jwt/jwt to 4.5.1 to address GO-2024-3250

@ivanvc ivanvc closed this as completed Nov 15, 2024
@k8s-ci-robot k8s-ci-robot changed the title [3.5 & 3.4] Bump golang-jwt/jwt to 4.5.1 to address GO-2024-3250 [3.5] Bump golang-jwt/jwt to 4.5.1 to address GO-2024-3250 Nov 15, 2024
@ivanvc
Copy link
Member

ivanvc commented Nov 15, 2024

Do we want to add this to the CHANGELOG?

@jmhbnz
Copy link
Member

jmhbnz commented Nov 15, 2024

Do we want to add this to the CHANGELOG?

Yes please.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

3 participants