Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160

To: Brian May <bam@debian.org>
Cc: debian-lts@lists.debian.org, security@debian.org
Subject: Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 1 Dec 2020 06:24:31 +0100
Message-id: <[🔎] 20201201052431.GA6669@lorien.valinor.li>
Mail-followup-to: Brian May <bam@debian.org>, debian-lts@lists.debian.org, security@debian.org
In-reply-to: <87im9mpkqm.fsf@canidae.wired.pri>
References: <87im9mpkqm.fsf@canidae.wired.pri>

Hi Brian,

On Tue, Dec 01, 2020 at 09:01:37AM +1100, Brian May wrote:
> I note this package - golang-github-dgrijalva-jwt-go - has been marked
> as vulnerable to CVE-2020-26160 in both Debian stretch and buster.
> 
> https://security-tracker.debian.org/tracker/CVE-2020-26160
> 
> But I can't find any code in these versions that even mentions the
> aud/audience fields.
> 
> So I plan to mark these versions as not vulnerable.

Were you able to track down in which version the vulnerability was
introduced? 

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
  - From: Brian May <bam@debian.org>

Next by Date: Debian LTS and ELTS - November 2020
Next by thread: Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
Index(es):
- Date
- Thread