Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
Salvatore Bonaccorso <firstname.lastname@example.org> writes:
> Your above tracking of the commits seems correct, which would mean
> that the issue was firstly introduced actually in v3.0.0 and given the
> code is not found in the buster and stretch version this would not
> affect hose versions indeed.
Yes, you are right. I misread the github webpage, which shows
v4.0.0-preview1 in bold, but has v3.0.0 next to it.
Good to know the git command to get this information, thanks for that.
> So to me updating the CVE entry to not-affected for buster and stretch
> (as the respective vulnerable code was introduced later) seems correct
> to me.
I will do so.
Brian May <email@example.com>