From 02ca4e970c44e2ec6cbe7dab6ab90f7866aacb38 Mon Sep 17 00:00:00 2001 From: Martin Atkins Date: Tue, 12 Oct 2021 09:59:02 -0700 Subject: [PATCH] go.mod: replace github.com/dgrijalva/jwt-go with .../golang-jwt/jwt CVE-2020-26160 is a high-severity advisory reported against this module. The dgrijalva package is no longer maintained but our legacy etcv2 backend depends on it indirectly, via go.etcd.io/etcd/client. The golang-jwt package is the blessed successor of the original, and has a v3 line which is compatible with the v3 line of dgrijalva, and so through this replace we can get a fix for the advisory without other significant behavior change. We've preserved the etcdv2 backend as-is on a best-effort basis in order to support anyone who is already using it, but recommend that users switch to etcdv3 or to some other backend for ongoing use. We also have future plans to make state storage be a matter for provider plugins rather than built in to Terraform CLI, at which point this backend will either become obsolete or be factored out into its own plugin, at which point we can remove this "replace" directive and the associated dependency altogether. --- go.mod | 6 ++++++ go.sum | 5 ++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index db77246a2e..dfcde125f7 100644 --- a/go.mod +++ b/go.mod @@ -192,4 +192,10 @@ replace github.com/golang/mock v1.5.0 => github.com/golang/mock v1.4.4 replace k8s.io/client-go => k8s.io/client-go v0.0.0-20190620085101-78d2af792bab +// github.com/dgrijalva/jwt-go is no longer maintained but is an indirect +// dependency of the old etcdv2 backend, and so we need to keep this working +// until that backend is removed. github.com/golang-jwt/jwt/v3 is a drop-in +// replacement that includes a fix for CVE-2020-26160. +replace github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt v3.2.1+incompatible + go 1.17 diff --git a/go.sum b/go.sum index bc61ec030b..bec4551f8e 100644 --- a/go.sum +++ b/go.sum @@ -172,9 +172,6 @@ github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= @@ -226,6 +223,8 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I= github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= +github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=