New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to com.atlassian.jwt version 2.0.1 #534

Closed
asieira opened this Issue Dec 14, 2017 · 8 comments

Comments

Projects
None yet
3 participants
@asieira
Copy link

asieira commented Dec 14, 2017

Currently silhouette is using version 1.6.1 of the Atlassian JWT library, which in turn uses version 3.6 of nimbus-jose-jwt.

The problem is that this indirect dependency has three known CVEs:

Version 2.0.1 of the Atlassian JWT library uses a version of the nimbus library that is not vulnerable to these CVE entries. I would like to recommend that Silhouette be updated to use this newer version.

@akkie

This comment has been minimized.

Copy link
Member

akkie commented Dec 14, 2017

@asieira Would you provide a pull request?

@asieira

This comment has been minimized.

Copy link
Author

asieira commented Dec 14, 2017

Don't have the bandwidth right now, maybe @rfranco could step in and help?

@rfranco

This comment has been minimized.

Copy link
Contributor

rfranco commented Dec 14, 2017

Sure, i'm going to do a PR for that.

@akkie

This comment has been minimized.

Copy link
Member

akkie commented Dec 14, 2017

Hi @rfranco. Nice to ready something from you after such a long time. I hope you are well 😄

@rfranco

This comment has been minimized.

Copy link
Contributor

rfranco commented Dec 14, 2017

@akkie i'm very well unfortunately my time now is so short to contribute as i'd like.
anyway it's done the PR 😃

@akkie akkie closed this in #535 Dec 15, 2017

@akkie

This comment has been minimized.

Copy link
Member

akkie commented Dec 15, 2017

@rfranco No problem and many thanks for the PR 👍

@asieira

This comment has been minimized.

Copy link
Author

asieira commented Dec 15, 2017

@akkie any estimate on when you'll publish an updated version?

@akkie

This comment has been minimized.

Copy link
Member

akkie commented Dec 17, 2017

@asieira 5.0.3 is out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment