GHSA-jgvc-jfgh-rjvv version upgrade 0.7.x or 0.6.x to 0.9.3
Issue #204
resolved
The vulnerability found in Jose4j versions < 0.9.3 as per https://github.com/google/security-research/security/advisories/GHSA-jgvc-jfgh-rjvv
Is it possible to upgrade from 0.7.x or 0.6.x to 0.9.3?
Or is the fix backward compatible?
Thanks
Sourabh
Comments (6)
-
repo owner -
repo owner - changed status to open
-
repo owner - changed status to resolved
-
repo owner - changed status to open
-
repo owner - changed status to resolved
-
reporter Thank you so much for the clarification.
I would like to update the version. But since this a major version update, I was not so sure.
Thanks
Sourabh - Log in to comment
I can’t make guarantees but in general upgrades are possible and API compatible.
That specific fix should be compatible too. Unless you need to be using RSA1_5 (though you really shouldn’t), in which case you’ll need to explicitly permit it with AlgorithmConstraints because the fix added a default AlgorithmConstraints to JsonWebEncryption to block the RSA1_5 alg.