Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump github.com/go-jose/go-jose/v3 to address GO-2023-2334 #12723

Merged
merged 1 commit into from Nov 29, 2023
Merged

Bump github.com/go-jose/go-jose/v3 to address GO-2023-2334 #12723

merged 1 commit into from Nov 29, 2023

Conversation

nywilken
Copy link
Member

@nywilken nywilken commented Nov 29, 2023
edited

Packer is not directly vulnerable to this CVE but it is a dependency of the Vault API package which Packer does use.

~>  govulncheck ./...
Scanning your code and 895 packages across 164 dependent modules for known vulnerabilities...

=== Informational ===

Found 1 vulnerability in packages that you import, but there are no call
stacks leading to the use of this vulnerability. You may not need to
take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2023-2334
    Decryption of malicious PBES2 JWE objects can consume unbounded system
    resources
  More info: https://pkg.go.dev/vuln/GO-2023-2334
  Module: github.com/go-jose/go-jose/v3
    Found in: github.com/go-jose/go-jose/v3@v3.0.0
    Fixed in: github.com/go-jose/go-jose/v3@v3.0.1

No vulnerabilities found.

Share feedback at https://go.dev/s/govulncheck-feedback.

@nywilken nywilken requested a review from a team as a code owner November 29, 2023 18:18
@nywilken nywilken added the dependencies Pull requests that update a dependency file label Nov 29, 2023
lbajolet-hashicorp
lbajolet-hashicorp approved these changes Nov 29, 2023
View reviewed changes
Copy link
Collaborator

@lbajolet-hashicorp lbajolet-hashicorp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@lbajolet-hashicorp lbajolet-hashicorp merged commit 083243c into main Nov 29, 2023
12 checks passed
@lbajolet-hashicorp lbajolet-hashicorp deleted the security/GHSA-2c7c-3mj9-8fqh branch November 29, 2023 19:49
@nywilken nywilken added the backport/1.10.x Backport PR changes to `release/1.10.x` label Nov 30, 2023
@hc-github-team-packer hc-github-team-packer mentioned this pull request Nov 30, 2023
Merged
@github-actions GitHub Actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lbajolet-hashicorp lbajolet-hashicorp lbajolet-hashicorp approved these changes

Assignees
No one assigned
Labels
backport/1.10.x Backport PR changes to `release/1.10.x` dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nywilken @lbajolet-hashicorp