Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-9283 #367

Closed
pure-jliao opened this issue Feb 28, 2023 · 4 comments
Closed

CVE-2020-9283 #367

pure-jliao opened this issue Feb 28, 2023 · 4 comments

Comments

@pure-jliao
Copy link

any chance that we can resolve this? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283
go-jose/go-jose#31
upgrading go-jose could help.
@ericchiang
Copy link
Collaborator

go-jose does not appear to have a tagged release, so I'll probably wait for them to do that first https://github.com/go-jose/go-jose/releases

I also don't see how this package could be impacted by an SSH server panic.

@codespearhead
Copy link

The latest minor release for go-jose v3 was published three days ago.

@ericchiang
Copy link
Collaborator

Should be fixed by #399 which is in the latest release. Thanks! https://github.com/coreos/go-oidc/releases/tag/v3.9.0

@ardaguclu
Copy link

I think, we need to bump to 3.0.3 to get "Limit decompression output size to prevent a DoS. Backport from v4.0.1.". @ericchiang do you want me to manually bump it or dependabot will take care?.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ericchiang @ardaguclu @pure-jliao @codespearhead