CVE-2016-9122

Metadata

medium
5.0
golang-gopkg-square-go-jose.v1
CVE-2016-9122
cve.mitre.org, openwall.com, github.com, hackerone.com
2017-03-27
2017-07-20 21:29
CVE-2016-9122 golang-gopkg-square-go-jose.v1
2017-06-16 19:21
2017-05-10 23:45
2017-04-14 10:19
2017-04-01 21:42
2017-03-28 21:03

Description

go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
upstream golang-gopkg-square-go-jose.v1 1.0.5-1

Unaffected

Release Package Reason
precise golang-gopkg-square-go-jose.v1 DNE
precise/esm golang-gopkg-square-go-jose.v1 DNE
trusty golang-gopkg-square-go-jose.v1 DNE
vivid/stable-phone-overlay golang-gopkg-square-go-jose.v1 DNE
vivid/ubuntu-core golang-gopkg-square-go-jose.v1 DNE
xenial golang-gopkg-square-go-jose.v1 DNE
yakkety golang-gopkg-square-go-jose.v1 ignored
zesty golang-gopkg-square-go-jose.v1 not-affected
devel golang-gopkg-square-go-jose.v1 not-affected