Skip to content

fix(deps): update module github.com/go-jose/go-jose/v3 to v3.0.4 [security] - failed #3828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix(deps): update module github.com/go-jose/go-jose/v3 to v3.0.4 [security] - failed #3828

wants to merge 1 commit into from

Conversation

@dominikholler
Copy link

@dominikholler dominikholler commented Jul 8, 2025

This PR contains the following updates:

Package Change Age Confidence
github.com/go-jose/go-jose/v3 v3.0.3 -> v3.0.4 age confidence

Release note

Update dependecy github.com/go-jose/go-jose/v3 to v3.0.4

DoS in go-jose Parsing in github.com/go-jose/go-jose

CVE-2025-27144 / GHSA-c6gw-w398-hv78 / GO-2025-3485

More information

Details

DoS in go-jose Parsing in github.com/go-jose/go-jose

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

DoS in go-jose Parsing

CVE-2025-27144 / GHSA-c6gw-w398-hv78 / GO-2025-3485

More information

Details

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v3.0.4

Compare Source

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144
https://github.com/go-jose/go-jose/pull/174

Full Changelog: go-jose/go-jose@v3.0.3...v3.0.4

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@kvrenovatebot
Copy link

kvrenovatebot commented Jul 8, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined
Command failed: DOCKER=0 make bazel-generate
Extracting Bazel installation...
Starting local Bazel server and connecting to it...
Loading: 
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Analyzing: target //:gazelle (1 packages loaded, 0 targets configured)
Analyzing: target //:gazelle (70 packages loaded, 1866 targets configured)
Analyzing: target //:gazelle (80 packages loaded, 11169 targets configured)
Analyzing: target //:gazelle (80 packages loaded, 11169 targets configured)
INFO: Analyzed target //:gazelle (92 packages loaded, 11288 targets configured).
INFO: Found 1 target...
[0 / 26] [Prepa] Creating source manifest for //:gazelle ... (4 actions, 0 running)
[14 / 59] GoToolchainBinaryBuild external/go_sdk/builder; 5s processwrapper-sandbox ... (2 actions running)
[14 / 59] GoToolchainBinaryBuild external/go_sdk/builder; 11s processwrapper-sandbox ... (2 actions running)
[18 / 59] GoStdlib external/io_bazel_rules_go/stdlib_/pkg; 4s processwrapper-sandbox ... (2 actions running)
[18 / 59] GoStdlib external/io_bazel_rules_go/stdlib_/pkg; 11s processwrapper-sandbox ... (2 actions running)
[19 / 59] GoStdlib external/io_bazel_rules_go/stdlib_/pkg; 19s processwrapper-sandbox ... (3 actions, 1 running)
Target //:gazelle up-to-date:
  bazel-bin/gazelle-runner.bash
  bazel-bin/gazelle
INFO: Elapsed time: 64.758s, Critical Path: 37.06s
INFO: 59 processes: 16 internal, 43 processwrapper-sandbox.
INFO: Build completed successfully, 59 total actions
INFO: Running command line: bazel-bin/gazelle staging/src pkg/ tools/ tests/ cmd/ vendor/
INFO: Build completed successfully, 59 total actions
gazelle: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/aio_buffer.go: error reading go file: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/aio_buffer.go: pkg-config not supported: #cgo pkg-config: libnbd
gazelle: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/bindings.go: error reading go file: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/bindings.go: pkg-config not supported: #cgo pkg-config: libnbd
gazelle: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/closures.go: error reading go file: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/closures.go: pkg-config not supported: #cgo pkg-config: libnbd
gazelle: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/handle.go: error reading go file: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/handle.go: pkg-config not supported: #cgo pkg-config: libnbd
gazelle: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/wrappers.go: error reading go file: /tmp/renovate/repos/github/kubevirt/containerized-data-importer/vendor/libguestfs.org/libnbd/wrappers.go: pkg-config not supported: #cgo pkg-config: libnbd
Loading: 
Loading: 0 packages loaded
Analyzing: target @com_github_bazelbuild_buildtools//buildozer:buildozer (1 packages loaded, 0 targets configured)
Analyzing: target @com_github_bazelbuild_buildtools//buildozer:buildozer (39 packages loaded, 635 targets configured)
INFO: Analyzed target @com_github_bazelbuild_buildtools//buildozer:buildozer (63 packages loaded, 2072 targets configured).
INFO: Found 1 target...
[0 / 5] [Prepa] BazelWorkspaceStatusAction stable-status.txt
[10 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 1s processwrapper-sandbox ... (8 actions running)
[14 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 2s processwrapper-sandbox ... (8 actions running)
[15 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 3s processwrapper-sandbox ... (8 actions running)
[20 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 4s processwrapper-sandbox ... (8 actions running)
[21 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 5s processwrapper-sandbox ... (8 actions running)
[23 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 6s processwrapper-sandbox ... (8 actions running)
[24 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 7s processwrapper-sandbox ... (8 actions running)
[28 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 8s processwrapper-sandbox ... (8 actions running)
[30 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 10s processwrapper-sandbox ... (8 actions running)
[32 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 12s processwrapper-sandbox ... (8 actions running)
[34 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 14s processwrapper-sandbox ... (8 actions running)
[35 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 17s processwrapper-sandbox ... (8 actions running)
INFO: From Compiling src/google/protobuf/message_lite.cc:
In file included from /usr/include/string.h:548,
                 from external/com_google_protobuf/src/google/protobuf/stubs/port.h:38,
                 from external/com_google_protobuf/src/google/protobuf/stubs/common.h:46,
                 from external/com_google_protobuf/src/google/protobuf/message_lite.h:45,
                 from external/com_google_protobuf/src/google/protobuf/message_lite.cc:36:
In function 'void* memcpy(void*, const void*, size_t)',
    inlined from 'google::protobuf::uint8* google::protobuf::io::EpsCopyOutputStream::WriteRaw(const void*, int, google::protobuf::uint8*)' at external/com_google_protobuf/src/google/protobuf/io/coded_stream.h:697:16,
    inlined from 'virtual google::protobuf::uint8* google::protobuf::internal::ImplicitWeakMessage::InternalSerializeWithCachedSizesToArray(google::protobuf::uint8*, google::protobuf::io::EpsCopyOutputStream*) const' at external/com_google_protobuf/src/google/protobuf/implicit_weak_message.h:87:28,
    inlined from 'bool google::protobuf::MessageLite::SerializePartialToZeroCopyStream(google::protobuf::io::ZeroCopyOutputStream*) const' at external/com_google_protobuf/src/google/protobuf/message_lite.cc:387:51:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:33: warning: 'void* __builtin___memcpy_chk(void*, const void*, long unsigned int, long unsigned int)' specified size between 18446744071562067968 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=]
   29 |   return __builtin___memcpy_chk (__dest, __src, __len,
      |          ~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
   30 |                                  __glibc_objsize0 (__dest));
      |                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~
[40 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 20s processwrapper-sandbox ... (8 actions running)
[48 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 23s processwrapper-sandbox ... (8 actions running)
[73 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 27s processwrapper-sandbox ... (8 actions running)
[96 / 290] GoToolchainBinaryBuild external/go_sdk/builder; 31s processwrapper-sandbox ... (8 actions, 7 running)
[119 / 290] Compiling src/google/protobuf/text_format.cc; 2s processwrapper-sandbox ... (8 actions, 7 running)
INFO: From Compiling src/google/protobuf/unknown_field_set.cc:
In file included from /usr/include/c++/13/string:51,
                 from external/com_google_protobuf/src/google/protobuf/unknown_field_set.h:42,
                 from external/com_google_protobuf/src/google/protobuf/unknown_field_set.cc:35:
In static member function 'static _Up* std::__copy_move<_IsMove, true, std::random_access_iterator_tag>::__copy_m(_Tp*, _Tp*, _Up*) [with _Tp = google::protobuf::UnknownField; _Up = google::protobuf::UnknownField; bool _IsMove = true]',
    inlined from '_OI std::__copy_move_a2(_II, _II, _OI) [with bool _IsMove = true; _II = google::protobuf::UnknownField*; _OI = google::protobuf::UnknownField*]' at /usr/include/c++/13/bits/stl_algobase.h:506:30,
    inlined from '_OI std::__copy_move_a1(_II, _II, _OI) [with bool _IsMove = true; _II = google::protobuf::UnknownField*; _OI = google::protobuf::UnknownField*]' at /usr/include/c++/13/bits/stl_algobase.h:533:42,
    inlined from '_OI std::__copy_move_a(_II, _II, _OI) [with bool _IsMove = true; _II = __gnu_cxx::__normal_iterator<google::protobuf::UnknownField*, vector<google::protobuf::UnknownField> >; _OI = google::protobuf::UnknownField*]' at /usr/include/c++/13/bits/stl_algobase.h:540:31,
    inlined from '_OI std::copy(_II, _II, _OI) [with _II = move_iterator<__gnu_cxx::__normal_iterator<google::protobuf::UnknownField*, vector<google::protobuf::UnknownField> > >; _OI = google::protobuf::UnknownField*]' at /usr/include/c++/13/bits/stl_algobase.h:633:7,
    inlined from 'static _ForwardIterator std::__uninitialized_copy<true>::__uninit_copy(_InputIterator, _InputIterator, _ForwardIterator) [with _InputIterator = std::move_iterator<__gnu_cxx::__normal_iterator<google::protobuf::UnknownField*, std::vector<google::protobuf::UnknownField> > >; _ForwardIterator = google::protobuf::UnknownField*]' at /usr/include/c++/13/bits/stl_uninitialized.h:147:27,
    inlined from '_ForwardIterator std::uninitialized_copy(_InputIterator, _InputIterator, _ForwardIterator) [with _InputIterator = move_iterator<__gnu_cxx::__normal_iterator<google::protobuf::UnknownField*, vector<google::protobuf::UnknownField> > >; _ForwardIterator = google::protobuf::UnknownField*]' at /usr/include/c++/13/bits/stl_uninitialized.h:185:15,
    inlined from '_ForwardIterator std::__uninitialized_copy_a(_InputIterator, _InputIterator, _ForwardIterator, allocator<_Tp>&) [with _InputIterator = move_iterator<__gnu_cxx::__normal_iterator<google::protobuf::UnknownField*, vector<google::protobuf::UnknownField> > >; _ForwardIterator = google::protobuf::UnknownField*; _Tp = google::protobuf::UnknownField]' at /usr/include/c++/13/bits/stl_uninitialized.h:373:37,
    inlined from 'void std::vector<_Tp, _Alloc>::_M_range_insert(iterator, _ForwardIterator, _ForwardIterator, std::forward_iterator_tag) [with _ForwardIterator = std::move_iterator<__gnu_cxx::__normal_iterator<google::protobuf::UnknownField*, std::vector<google::protobuf::UnknownField> > >; _Tp = google::protobuf::UnknownField; _Alloc = std::allocator<google::protobuf::UnknownField>]' at /usr/include/c++/13/bits/vector.tcc:814:38,
    inlined from 'std::vector<_Tp, _Alloc>::iterator std::vector<_Tp, _Alloc>::insert(const_iterator, _InputIterator, _InputIterator) [with _InputIterator = std::move_iterator<__gnu_cxx::__normal_iterator<google::protobuf::UnknownField*, std::vector<google::protobuf::UnknownField> > >; <template-parameter-2-2> = void; _Tp = google::protobuf::UnknownField; _Alloc = std::allocator<google::protobuf::UnknownField>]' at /usr/include/c++/13/bits/stl_vector.h:1486:19,
    inlined from 'void google::protobuf::UnknownFieldSet::MergeFromAndDestroy(google::protobuf::UnknownFieldSet*)' at external/com_google_protobuf/src/google/protobuf/unknown_field_set.cc:95:19:
/usr/include/c++/13/bits/stl_algobase.h:437:30: warning: 'void* __builtin_memmove(void*, const void*, long unsigned int)' writing between 17 and 9223372036854775792 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
  437 |             __builtin_memmove(__result, __first, sizeof(_Tp) * _Num);
      |             ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/include/x86_64-linux-gnu/c++/13/bits/c++allocator.h:33,
                 from /usr/include/c++/13/bits/allocator.h:46,
                 from /usr/include/c++/13/string:43:
In member function '_Tp* std::__new_allocator<_Tp>::allocate(size_type, const void*) [with _Tp = google::protobuf::UnknownField]',
    inlined from 'static _Tp* std::allocator_traits<std::allocator<_CharT> >::allocate(allocator_type&, size_type) [with _Tp = google::protobuf::UnknownField]' at /usr/include/c++/13/bits/alloc_traits.h:482:28,
    inlined from 'std::_Vector_base<_Tp, _Alloc>::pointer std::_Vector_base<_Tp, _Alloc>::_M_allocate(std::size_t) [with _Tp = google::protobuf::UnknownField; _Alloc = std::allocator<google::protobuf::UnknownField>]' at /usr/include/c++/13/bits/stl_vector.h:381:33,
    inlined from 'std::_Vector_base<_Tp, _Alloc>::pointer std::_Vector_base<_Tp, _Alloc>::_M_allocate(std::size_t) [with _Tp = google::protobuf::UnknownField; _Alloc = std::allocator<google::protobuf::UnknownField>]' at /usr/include/c++/13/bits/stl_vector.h:378:7,
    inlined from 'void std::vector<_Tp, _Alloc>::_M_range_insert(iterator, _ForwardIterator, _ForwardIterator, std::forward_iterator_tag) [with _ForwardIterator = std::move_iterator<__gnu_cxx::__normal_iterator<google::protobuf::UnknownField*, std::vector<google::protobuf::UnknownField> > >; _Tp = google::protobuf::UnknownField; _Alloc = std::allocator<google::protobuf::UnknownField>]' at /usr/include/c++/13/bits/vector.tcc:805:40,
    inlined from 'std::vector<_Tp, _Alloc>::iterator std::vector<_Tp, _Alloc>::insert(const_iterator, _InputIterator, _InputIterator) [with _InputIterator = std::move_iterator<__gnu_cxx::__normal_iterator<google::protobuf::UnknownField*, std::vector<google::protobuf::UnknownField> > >; <template-parameter-2-2> = void; _Tp = google::protobuf::UnknownField; _Alloc = std::allocator<google::protobuf::UnknownField>]' at /usr/include/c++/13/bits/stl_vector.h:1486:19,
    inlined from 'void google::protobuf::UnknownFieldSet::MergeFromAndDestroy(google::protobuf::UnknownFieldSet*)' at external/com_google_protobuf/src/google/protobuf/unknown_field_set.cc:95:19:
/usr/include/c++/13/bits/new_allocator.h:151:55: note: at offset [-9223372036854775808, -1] into destination object of size [16, 9223372036854775792] allocated by 'operator new'
  151 |         return static_cast<_Tp*>(_GLIBCXX_OPERATOR_NEW(__n * sizeof(_Tp)));
      |                                                       ^
[136 / 290] GoStdlib external/io_bazel_rules_go/stdlib_/pkg; 8s processwrapper-sandbox ... (8 actions, 7 running)
[146 / 290] GoStdlib external/io_bazel_rules_go/stdlib_/pkg; 15s processwrapper-sandbox ... (8 actions, 7 running)
[167 / 290] GoStdlib external/io_bazel_rules_go/stdlib_/pkg; 23s processwrapper-sandbox ... (8 actions, 7 running)
[227 / 290] Compiling src/google/protobuf/compiler/command_line_interface.cc; 1s processwrapper-sandbox ... (8 actions, 7 running)
[283 / 342] Compiling src/google/protobuf/descriptor.pb.cc; 12s processwrapper-sandbox ... (8 actions, 7 running)
Target @com_github_bazelbuild_buildtools//buildozer:buildozer up-to-date:
  bazel-bin/external/com_github_bazelbuild_buildtools/buildozer/buildozer_/buildozer
INFO: Elapsed time: 86.557s, Critical Path: 65.65s
INFO: 342 processes: 15 internal, 327 processwrapper-sandbox.
INFO: Build completed successfully, 342 total actions
INFO: Running command line: bazel-bin/external/com_github_bazelbuild_buildtools/buildozer/buildozer_/buildozer 'add clinkopts -lnbd' ///home/ubuntu/go/src/kubevirt.io/containerized-data-importer/vendor/libguestfs.org/libnbd/:go_default_library
INFO: Build completed successfully, 342 total actions
/home/ubuntu/go/src/kubevirt.io/containerized-data-importer/vendor/libguestfs.org/libnbd/BUILD: file not found or not readable
make: *** [Makefile:168: bazel-generate] Error 2

@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Jul 8, 2025
@kubevirt-bot
Copy link
Contributor

kubevirt-bot commented Jul 8, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign awels for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot requested review from aglitke and mhenriks July 8, 2025 13:27
@dominikholler dominikholler changed the title fix(deps): update module github.com/go-jose/go-jose/v3 to v3.0.4 [security] fix(deps): update module github.com/go-jose/go-jose/v3 to v3.0.4 [security] - failed Jul 8, 2025
@dominikholler dominikholler deleted the renovate/go-github.com-go-jose-go-jose-v3-vulnerability branch July 8, 2025 13:35
@kubevirt-bot
Copy link
Contributor

kubevirt-bot commented Jul 8, 2025

@dominikholler: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cdi-unit-test-s390x cd6b60e link false /test pull-cdi-unit-test-s390x
pull-cdi-goveralls cd6b60e link false /test pull-cdi-goveralls
pull-cdi-unit-test cd6b60e link true /test pull-cdi-unit-test
pull-cdi-apidocs cd6b60e link true /test pull-cdi-apidocs
pull-cdi-generate-verify cd6b60e link true /test pull-cdi-generate-verify
pull-containerized-data-importer-fossa cd6b60e link true /test pull-containerized-data-importer-fossa
pull-containerized-data-importer-non-csi-hpp cd6b60e link true /test pull-containerized-data-importer-non-csi-hpp
pull-containerized-data-importer-e2e-hpp-previous cd6b60e link true /test pull-containerized-data-importer-e2e-hpp-previous
pull-containerized-data-importer-e2e-upg cd6b60e link true /test pull-containerized-data-importer-e2e-upg
pull-containerized-data-importer-e2e-nfs cd6b60e link true /test pull-containerized-data-importer-e2e-nfs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aglitke aglitke Awaiting requested review from aglitke

@mhenriks mhenriks Awaiting requested review from mhenriks

Assignees

No one assigned

Labels

dco-signoff: yes Indicates the PR's author has DCO signed all their commits. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dominikholler @kvrenovatebot @kubevirt-bot