From dde89455f33663a7fd4686281fae8733cac5a009 Mon Sep 17 00:00:00 2001 From: Vikrant Puppala Date: Wed, 20 May 2026 16:42:37 +0000 Subject: [PATCH] [SIRT-1753] Bump go-jose/go-jose/v3 to v3.0.5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses CVE-2026-34986 (JWE KeyUnwrap panic / DoS in go-jose) by bumping the transitive dependency from v3.0.4 to v3.0.5. The CVE is not exploitable in this driver — the vulnerable JWE parse/decrypt path in go-jose is never reached; go-jose is only pulled in indirectly via coreos/go-oidc, which the driver uses solely for OIDC provider discovery. The bump is to satisfy SCA scanners. CVE-2026-41602 (apache/thrift TFramedTransport integer overflow) is also reported by SIRT-1753 but is intentionally NOT addressed here: - The fix only lands in apache/thrift v0.23.0, which requires Go 1.25. - This module is pinned to Go 1.20; bumping the go directive would be a breaking change for downstream consumers building against earlier Go toolchains. - The vulnerable TFramedTransport is not reachable: the driver only uses THttpClient (see internal/client/client.go and config defaults). The non-exploitability of CVE-2026-41602 will be communicated to SIRT separately rather than via a forced toolchain bump. Co-authored-by: Isaac Signed-off-by: Vikrant Puppala --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1d1fdc78..4dd24c55 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/dnephin/pflag v1.0.7 // indirect github.com/fatih/color v1.16.0 // indirect github.com/fsnotify/fsnotify v1.5.4 // indirect - github.com/go-jose/go-jose/v3 v3.0.4 // indirect + github.com/go-jose/go-jose/v3 v3.0.5 // indirect github.com/goccy/go-json v0.9.11 // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/golang/snappy v0.0.4 // indirect diff --git a/go.sum b/go.sum index 670487a8..731555b7 100644 --- a/go.sum +++ b/go.sum @@ -21,8 +21,8 @@ github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4Nij github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU= github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= -github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY= -github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/go-jose/go-jose/v3 v3.0.5 h1:BLLJWbC4nMZOfuPVxoZIxeYsn6Nl2r1fITaJ78UQlVQ= +github.com/go-jose/go-jose/v3 v3.0.5/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/goccy/go-json v0.9.11 h1:/pAaQDLHEoCq/5FFmSKBswWmK6H0e8g4159Kc/X/nqk= github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=