b_c / jose4j / issues / #204 - GHSA-jgvc-jfgh-rjvv version upgrade 0.7.x or 0.6.x to 0.9.3 — Bitbucket

Issue #204 resolved

Sourabh Parkala created an issue 2023-05-03

The vulnerability found in Jose4j versions < 0.9.3 as per https://github.com/google/security-research/security/advisories/GHSA-jgvc-jfgh-rjvv

Is it possible to upgrade from 0.7.x or 0.6.x to 0.9.3?

Or is the fix backward compatible?

Thanks
Sourabh

Comments (6)

Brian Campbell repo owner
I can’t make guarantees but in general upgrades are possible and API compatible.

That specific fix should be compatible too. Unless you need to be using RSA1_5 (though you really shouldn’t), in which case you’ll need to explicitly permit it with AlgorithmConstraints because the fix added a default AlgorithmConstraints to JsonWebEncryption to block the RSA1_5 alg.
- 2023-05-03T12:49:03+00:00
Brian Campbell repo owner
- changed status to open
- 2023-05-03T13:28:34+00:00
Brian Campbell repo owner
- changed status to resolved
- 2023-05-03T13:28:49+00:00
Brian Campbell repo owner
- changed status to open
- 2023-05-03T15:20:17+00:00
Brian Campbell repo owner
- changed status to resolved
- 2023-05-03T18:46:06+00:00
Sourabh Parkala reporter
Thank you so much for the clarification.

I would like to update the version. But since this a major version update, I was not so sure.

Thanks
Sourabh
- 2023-05-04T13:27:32+00:00
Log in to comment

Assignee: –

Type: proposal

Priority: blocker

Status: resolved

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!