From f68fd00b7bd313d73b62b1899674461a326c53e6 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Sun, 3 May 2026 13:48:57 +0000 Subject: [PATCH] =?UTF-8?q?chore(deps):=20upgrade=20go-jose=20v4.0.4=20?= =?UTF-8?q?=E2=86=92=20v4.1.4=20+=20tidy=20duplicate=20require?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two-fer in one commit: (1) Dependabot security alerts on go-jose/v4 v4.0.4. Both alerts flagged on commit 44a85d6 (the Phase 1b push that introduced the dep): - GHSA-c6gw-w398-hv78 (CVE-2025-27144): DoS in JWS Compact parsing when input has many `.` characters; excessive memory consumption via strings.Split. Fixed in v4.0.5. Same shape as CVE-2025-22868 in golang.org/x/oauth2/jws. - GHSA-78h2-9frx-2jm8 (CVE-2026-34986): JWE decryption panic when alg is a key-wrapping algorithm (`*KW` other than the GCMKW family) and encrypted_key is empty. Maps to a denial-of-service via panic. Fixed in v4.1.4. The certctl ACME server only invokes ParseSigned for JWS verify (the JWS path); we never call ParseEncrypted/Decrypt. So the JWE panic doesn't reach our code path. The JWS DoS is a low-grade concern (an attacker submitting JWS objects with many dots could amplify memory). Both are still real CVEs; upgrading is cheap and right. (2) ci: fix `go mod tidy` drift on commit a05a7d3. When I added go-jose to the direct require block, I missed removing the duplicate `// indirect` line in the indirect block. CI's `go mod tidy && git diff --exit-code go.mod go.sum` flagged the drift. Running `go mod tidy` (combined with the v4.1.4 upgrade above) cleans up both. Verified locally: - go.mod has exactly one `github.com/go-jose/go-jose/v4 v4.1.4` line (in the direct require block); no `// indirect` duplicate. - go test -count=1 -short ./internal/api/acme/ green — confirms v4.1.4 has the same API surface (ParseSigned with SignatureAlgorithm allowlist, Header.ExtraHeaders[HeaderKey], JSONWebKey.Thumbprint(crypto.SHA256), Signer with SignerOptions.WithHeader). 16-case JWS verifier suite all pass. - go test -count=1 -short ./internal/service/ green. - go test -count=1 -short ./internal/api/handler/ -run TestACME green. - go build ./cmd/server → server binary clean. --- go.mod | 3 +-- go.sum | 2 ++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index b19a20a..74091c9 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/aws/aws-sdk-go-v2 v1.41.7 github.com/aws/aws-sdk-go-v2/config v1.32.17 github.com/aws/aws-sdk-go-v2/service/acmpca v1.46.14 - github.com/go-jose/go-jose/v4 v4.0.4 + github.com/go-jose/go-jose/v4 v4.1.4 github.com/leanovate/gopter v0.2.11 github.com/masterzen/winrm v0.0.0-20250927112105-5f8e6c707321 github.com/pkg/sftp v1.13.10 @@ -53,7 +53,6 @@ require ( github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/go-jose/go-jose/v4 v4.0.4 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-ole/go-ole v1.2.6 // indirect diff --git a/go.sum b/go.sum index b802527..be7d9b0 100644 --- a/go.sum +++ b/go.sum @@ -143,6 +143,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E= github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc= +github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA= +github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=