2017-07-20 21:29
CVE-2016-9122 golang-gopkg-square-go-jose.v1
2017-06-16 19:21
2017-05-10 23:45
2017-04-14 10:19
2017-04-01 21:42
2017-03-28 21:03


go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
upstream golang-gopkg-square-go-jose.v1 1.0.5-1


Release Package Reason
precise golang-gopkg-square-go-jose.v1 DNE
precise/esm golang-gopkg-square-go-jose.v1 DNE
trusty golang-gopkg-square-go-jose.v1 DNE
vivid/stable-phone-overlay golang-gopkg-square-go-jose.v1 DNE
vivid/ubuntu-core golang-gopkg-square-go-jose.v1 DNE
xenial golang-gopkg-square-go-jose.v1 DNE
yakkety golang-gopkg-square-go-jose.v1 ignored
zesty golang-gopkg-square-go-jose.v1 not-affected
devel golang-gopkg-square-go-jose.v1 not-affected