Debian Package Tracker
Register | Log in
Subscribe

golang-github-golang-jwt-jwt

Choose email to subscribe with

general
  • source: golang-github-golang-jwt-jwt (main)
  • version: 5.0.0+really4.5.2-1
  • maintainer: Debian Go Packaging Team (DMD)
  • uploaders: Pirate Praveen [DMD]
  • arch: all any
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • stable: 4.4.3-1
  • testing: 5.0.0+really4.5.2-1
  • unstable: 5.0.0+really4.5.2-1
versioned links
  • 4.4.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 5.0.0+really4.5.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • golang-github-golang-jwt-jwt-dev
  • jwt
action needed
lintian reports 1 warning normal
Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.
Created: 2025-03-23 Last update: 2025-04-10 14:00
2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:
  • CVE-2024-51744: (needs triaging) golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.
  • CVE-2025-30204: (needs triaging) golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-11-05 Last update: 2025-04-11 04:32
news
[rss feed]
  • [2025-03-25] golang-github-golang-jwt-jwt 5.0.0+really4.5.2-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-23] Accepted golang-github-golang-jwt-jwt 5.0.0+really4.5.2-1 (source) into unstable (Mathias Gibbens)
  • [2024-09-14] golang-github-golang-jwt-jwt 5.0.0+really4.5.0-2 MIGRATED to testing (Debian testing watch)
  • [2024-09-12] Accepted golang-github-golang-jwt-jwt 5.0.0+really4.5.0-2 (source) into unstable (Anton Gladky)
  • [2023-10-12] golang-github-golang-jwt-jwt 5.0.0+really4.5.0-1 MIGRATED to testing (Debian testing watch)
  • [2023-10-07] Accepted golang-github-golang-jwt-jwt 5.0.0+really4.5.0-1 (source) into unstable (Anton Gladky)
  • [2023-10-07] Accepted golang-github-golang-jwt-jwt 5.0.0+really4.5.0-1~exp1 (source) into experimental (Anton Gladky)
  • [2023-10-06] Accepted golang-github-golang-jwt-jwt 5.0.0-1 (source) into unstable (Anton Gladky)
  • [2022-12-06] golang-github-golang-jwt-jwt 4.4.3-1 MIGRATED to testing (Debian testing watch)
  • [2022-12-03] Accepted golang-github-golang-jwt-jwt 4.4.3-1 (source) into unstable (Mathias Gibbens)
  • [2022-11-24] golang-github-golang-jwt-jwt 4.4.2-1 MIGRATED to testing (Debian testing watch)
  • [2022-11-22] Accepted golang-github-golang-jwt-jwt 4.4.2-1 (source) into unstable (Mathias Gibbens)
  • [2022-02-02] golang-github-golang-jwt-jwt 4.2.0-1 MIGRATED to testing (Debian testing watch)
  • [2022-01-30] Accepted golang-github-golang-jwt-jwt 4.2.0-1 (source) into unstable (Thorsten Alteholz)
  • [2021-11-21] golang-github-golang-jwt-jwt 4.1.0-2 MIGRATED to testing (Debian testing watch)
  • [2021-11-19] Accepted golang-github-golang-jwt-jwt 4.1.0-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
  • [2021-11-18] Accepted golang-github-golang-jwt-jwt 4.1.0-1 (source all amd64) into unstable, unstable (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
bugs [bug history graph]
  • all: 1
  • RC: 0
  • I&N: 0
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 1)
  • buildd: logs, checks, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 5.0.0+really4.5.2-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing