search

coreos / go-oidc

A Go OpenID Connect client.
Apache License 2.0
1.99k stars 400 forks source link

Upgrade go-jose to fix CVE-2024-28180 #417

Closed bcandeias closed 8 months ago

bcandeias commented 8 months ago

Two weeks ago github.com/go-jose/go-jose released v.4.0.1 to fix a published vulnerability (CVE-2024-28180.

This is issue is to bump the dependency from v3.0.1 to v4.0.1.

(I can do a pull request with the bump)

bcandeias commented 8 months ago

I just realised that the API also changes, which likely means a go-oidc v4 as well.

The big difference is that jose.ParseSigned now requires the SignatureAlgorithm.

# github.com/coreos/go-oidc/v3/oidc
oidc/jwks.go:28:31: not enough arguments in call to jose.ParseSigned
    have (string)
    want (string, []jose.SignatureAlgorithm)

Trying to figure out what should we do here as it really doesn't make sense from an API perspective to request this when the string JWT has that encoded.

ericchiang commented 8 months ago

go-oidc intentional doesn't export anything that references its JWT package, so it's fine to change the dependency without releasing a major version bump. We did that in the past when go-jose changed it's import path.

I can take a crack at updating. If I'm reading the new signature right this might actually fix https://github.com/coreos/go-oidc/issues/356 as well

Regardless, the CVE is for JWE implementation issues which this package doesn't use. v3.0.3 also appears to have the fix.

bcandeias commented 8 months ago

Regardless, the CVE is for JWE implementation issues which this package doesn't use. v3.0.3 also appears to have the fix.

Fair point. I didn't validate whether it was being used or not, and I was also being misled by the v4.0.1 release notes. #418 does the bump, but I tried to take a stab at using 4.0.1 (the one where the API changes). In interest of enabling #356 I can try contributing.