[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160

Salvatore Bonaccorso <carnil@debian.org> writes:

> Your above tracking of the commits seems correct, which would mean
> that the issue was firstly introduced actually in v3.0.0 and given the
> code is not found in the buster and stretch version this would not
> affect hose versions indeed.

Yes, you are right. I misread the github webpage, which shows
v4.0.0-preview1 in bold, but has v3.0.0 next to it.

Good to know the git command to get this information, thanks for that.

> So to me updating the CVE entry to not-affected for buster and stretch
> (as the respective vulnerable code was introduced later) seems correct
> to me.

I will do so.
Brian May <bam@debian.org>

Reply to: