Skip to content

Commit 6d81420

Browse files
mikecookMichael Cook
mikecook
and
Michael Cook
authored
Security issue: resolve GHSA-2c7c-3mj9-8fqh (#381)
An attacker specifying a large "p2c" value can cause JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large amounts of CPU, causing a DoS. Update package github.com/coreos/go-oidc to version that requires fixed version of go-jose. Note that github.com/square/go-jose is deprecated and has been replaced by github.com/go-jose/go-jose commands run: - go get -u github.com/coreos/go-oidc/[email protected] - go mod tidy -go=1.16 see: - GHSA-2c7c-3mj9-8fqh - coreos/go-oidc#399 - https://github.com/square/go-jose - https://github.com/go-jose/go-jose Co-authored-by: Michael Cook <[email protected]>
1 parent 497467b commit 6d81420

File tree

2 files changed

+779
-181
lines changed

2 files changed

+779
-181
lines changed

auth_server/go.mod

+6-29
Original file line numberDiff line numberDiff line change
@@ -3,55 +3,32 @@ module github.com/cesanta/docker_auth/auth_server
33
go 1.16
44

55
require (
6-
cloud.google.com/go/compute v1.10.0 // indirect
7-
cloud.google.com/go/iam v0.5.0 // indirect
8-
cloud.google.com/go/storage v1.27.0
9-
github.com/PuerkitoBio/goquery v1.5.1 // indirect
6+
cloud.google.com/go/storage v1.29.0
107
github.com/casbin/casbin/v2 v2.55.1
118
github.com/cesanta/glog v0.0.0-20150527111657-22eb27a0ae19
12-
github.com/coreos/go-oidc/v3 v3.4.0
9+
github.com/coreos/go-oidc/v3 v3.9.0
1310
github.com/dchest/uniuri v0.0.0-20220929095258-3027df40b6ce
1411
github.com/deckarep/golang-set v1.8.0
1512
github.com/docker/distribution v2.8.1+incompatible
1613
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7
1714
github.com/go-ldap/ldap v3.0.3+incompatible
1815
github.com/go-redis/redis v6.15.9+incompatible
1916
github.com/go-sql-driver/mysql v1.6.0
20-
github.com/go-stack/stack v1.8.1 // indirect
21-
github.com/gobuffalo/genny v0.1.1 // indirect
22-
github.com/gobuffalo/gogen v0.1.1 // indirect
23-
github.com/goccy/go-json v0.9.11 // indirect
24-
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
25-
github.com/google/go-cmp v0.5.9 // indirect
26-
github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect
2717
github.com/gorilla/mux v1.8.0 // indirect
28-
github.com/jstemmer/go-junit-report v1.0.0 // indirect
29-
github.com/karrick/godirwalk v1.10.3 // indirect
3018
github.com/klauspost/compress v1.15.11 // indirect
31-
github.com/kr/text v0.2.0 // indirect
3219
github.com/lib/pq v1.10.7
33-
github.com/magefile/mage v1.14.0 // indirect
3420
github.com/mattn/go-sqlite3 v2.0.3+incompatible
3521
github.com/montanaflynn/stats v0.6.6 // indirect
36-
github.com/pelletier/go-toml v1.7.0 // indirect
3722
github.com/schwarmco/go-cartesian-product v0.0.0-20180515110546-d5ee747a6dc9
3823
github.com/sirupsen/logrus v1.9.0 // indirect
39-
github.com/stretchr/testify v1.7.0 // indirect
4024
github.com/syndtr/goleveldb v1.0.0
4125
github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a // indirect
4226
go.mongodb.org/mongo-driver v1.10.2
43-
go.opencensus.io v0.23.0 // indirect
44-
golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be
45-
golang.org/x/net v0.0.0-20220930213112-107f3e3c3b0b
46-
golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1
47-
golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 // indirect
48-
golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec // indirect
49-
golang.org/x/tools v0.1.12 // indirect
50-
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
51-
google.golang.org/api v0.98.0
52-
google.golang.org/genproto v0.0.0-20220930163606-c98284e70a91 // indirect
27+
golang.org/x/crypto v0.14.0
28+
golang.org/x/net v0.17.0
29+
golang.org/x/oauth2 v0.13.0
30+
google.golang.org/api v0.126.0
5331
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
54-
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
5532
gopkg.in/fsnotify.v1 v1.4.7
5633
gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22
5734
gopkg.in/yaml.v2 v2.4.0

0 commit comments

Comments
 (0)