Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: debian-lts@lists.debian.org, security@debian.org
Subject: Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
From: Brian May <bam@debian.org>
Date: Thu, 03 Dec 2020 08:15:42 +1100
Message-id: <[🔎] 87sg8nnc3l.fsf@canidae.wired.pri>
In-reply-to: <[🔎] 20201202072417.GB30412@lorien.valinor.li>
References: <87im9mpkqm.fsf@canidae.wired.pri> <[🔎] 20201201052431.GA6669@lorien.valinor.li> <[🔎] 871rg9nq32.fsf@canidae.wired.pri> <[🔎] 20201202072417.GB30412@lorien.valinor.li>

Salvatore Bonaccorso <carnil@debian.org> writes:

> Your above tracking of the commits seems correct, which would mean
> that the issue was firstly introduced actually in v3.0.0 and given the
> code is not found in the buster and stretch version this would not
> affect hose versions indeed.

Yes, you are right. I misread the github webpage, which shows
v4.0.0-preview1 in bold, but has v3.0.0 next to it.

Good to know the git command to get this information, thanks for that.

> So to me updating the CVE entry to not-affected for buster and stretch
> (as the respective vulnerable code was introduced later) seems correct
> to me.

I will do so.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
  - From: Brian May <bam@debian.org>
- Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: openjdk-8 8u275-b01-1
Next by Date: reverse build depends on stretch
Previous by thread: Re: golang-github-dgrijalva-jwt-go / CVE-2020-26160
Next by thread: Debian LTS and ELTS - November 2020
Index(es):
- Date
- Thread