Skip to content

fix(deps): Update module github.com/go-jose/go-jose/v3 to v3.0.3 [SECURITY]#17091

Merged
kodiakhq[bot] merged 1 commit into
mainfrom
renovate/go-github.com/go-jose/go-jose/v3-vulnerability
Mar 7, 2024
Merged

fix(deps): Update module github.com/go-jose/go-jose/v3 to v3.0.3 [SECURITY]#17091
kodiakhq[bot] merged 1 commit into
mainfrom
renovate/go-github.com/go-jose/go-jose/v3-vulnerability

Conversation

@cq-bot
Copy link
Copy Markdown
Contributor

@cq-bot cq-bot commented Mar 7, 2024

This PR contains the following updates:

Package Type Update Change
github.com/go-jose/go-jose/v3 indirect patch v3.0.1 -> v3.0.3

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-c5q2-7r4c-mv6g

Impact

An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj) for reporting.

Patches

The problem is fixed in v4.0.1, v3.0.3, v2.6.3

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v3.0.3: Version 3.0.3

Compare Source

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

v3.0.2

Compare Source

Fixed

  • DecryptMulti: handle decompression error (#​19)

Changed

  • jwe/CompactSerialize: improve performance (#​67)
  • Increase the default number of PBKDF2 iterations to 600k (#​48)
  • Return the proper algorithm for ECDSA keys (#​45)

Added

  • Add Thumbprint support for opaque signers (#​38)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cq-bot cq-bot added automerge Automatically merge once required checks pass security labels Mar 7, 2024
@cq-bot
Copy link
Copy Markdown
Contributor Author

cq-bot commented Mar 7, 2024

/gen sha=cc2b18bc3ab3b28fb462a9d7e6d8ac2f5c6d4c21 dir=plugins/source/okta

@kodiakhq kodiakhq Bot merged commit ab419ee into main Mar 7, 2024
@kodiakhq kodiakhq Bot deleted the renovate/go-github.com/go-jose/go-jose/v3-vulnerability branch March 7, 2024 23:13
@cq-bot cq-bot mentioned this pull request Mar 7, 2024
Merged
kodiakhq Bot pushed a commit that referenced this pull request Mar 12, 2024
@cq-bot
chore(main): Release plugins-source-okta v4.1.3 (#17079)
7af546a 
🤖 I have created a release *beep* *boop*
---


## [4.1.3](plugins-source-okta-v4.1.2...plugins-source-okta-v4.1.3) (2024-03-12)


### Bug Fixes

* **deps:** Update module github.com/cloudquery/plugin-sdk/v4 to v4.32.1 ([#17044](#17044)) ([d3592e7](d3592e7))
* **deps:** Update module github.com/go-jose/go-jose/v3 to v3.0.3 [SECURITY] ([#17091](#17091)) ([ab419ee](ab419ee))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

area/plugin/source/okta automerge Automatically merge once required checks pass security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cq-bot @renovate-bot