Commit d940c1e
fix(deps): update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] (#4568)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/go-jose/go-jose/v4](https://redirect.github.com/go-jose/go-jose)
| `v4.1.3` → `v4.1.4` |
|
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.
### GitHub Vulnerability Alerts
####
[CVE-2026-34986](https://redirect.github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8)
### Impact
Decrypting a JSON Web Encryption (JWE) object will panic if the `alg`
field indicates a key wrapping algorithm ([one ending in
`KW`](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants),
with the exception of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the
`encrypted_key` field is empty. The panic happens when
`cipher.KeyUnwrap()` in `key_wrap.go` attempts to allocate a slice with
a zero or negative length based on the length of the `encrypted_key`.
This code path is reachable from `ParseEncrypted()` /
`ParseEncryptedJSON()` / `ParseEncryptedCompact()` followed by
`Decrypt()` on the resulting object. Note that the parse functions take
a list of accepted key algorithms. If the accepted key algorithms do not
include any key wrapping algorithms, parsing will fail and the
application will be unaffected.
This panic is also reachable by calling `cipher.KeyUnwrap()` directly
with any `ciphertext` parameter less than 16 bytes long, but calling
this function directly is less common.
Panics can lead to denial of service.
### Fixed In
4.1.4 and v3.0.5
### Workarounds
If the list of `keyAlgorithms` passed to `ParseEncrypted()` /
`ParseEncryptedJSON()` / `ParseEncryptedCompact()` does not include key
wrapping algorithms (those ending in `KW`), your application is
unaffected.
If your application uses key wrapping, you can prevalidate to the JWE
objects to ensure the `encrypted_key` field is nonempty. If your
application accepts JWE Compact Serialization, apply that validation to
the corresponding field of that serialization (the data between the
first and second `.`).
### Thanks
Go JOSE thanks Datadog's Security team for finding this issue.
---
### Release Notes
<details>
<summary>go-jose/go-jose (github.com/go-jose/go-jose/v4)</summary>
###
[`v4.1.4`](https://redirect.github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4)
[Compare
Source](https://redirect.github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone Europe/London,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsImdvbGFuZyJdfQ==-->
GitOrigin-RevId: 3c8e03dca7e9129b62d388c1b3f10391b5469d121 parent 270eccc commit d940c1e
2 files changed
+3
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
108 | 108 | | |
109 | 109 | | |
110 | 110 | | |
111 | | - | |
| 111 | + | |
112 | 112 | | |
113 | 113 | | |
114 | 114 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
502 | 502 | | |
503 | 503 | | |
504 | 504 | | |
505 | | - | |
506 | | - | |
| 505 | + | |
| 506 | + | |
507 | 507 | | |
508 | 508 | | |
509 | 509 | | |
| |||
0 commit comments