1# v4.0.1
2
3## Fixed
4
5 - An attacker could send a JWE containing compressed data that used large
6 amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`.
7 Those functions now return an error if the decompressed data would exceed
8 250kB or 10x the compressed size (whichever is larger). Thanks to
9 Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
10 for reporting.
11
12# v4.0.0
13
14This release makes some breaking changes in order to more thoroughly
15address the vulnerabilities discussed in [Three New Attacks Against JSON Web
16Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
17token".
18
19## Changed
20
21 - Limit JWT encryption types (exclude password or public key types) (#78)
22 - Enforce minimum length for HMAC keys (#85)
23 - jwt: match any audience in a list, rather than requiring all audiences (#81)
24 - jwt: accept only Compact Serialization (#75)
25 - jws: Add expected algorithms for signatures (#74)
26 - Require specifying expected algorithms for ParseEncrypted,
27 ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
28 jwt.ParseSignedAndEncrypted (#69, #74)
29 - Usually there is a small, known set of appropriate algorithms for a program
30 to use and it's a mistake to allow unexpected algorithms. For instance the
31 "billion hash attack" relies in part on programs accepting the PBES2
32 encryption algorithm and doing the necessary work even if they weren't
33 specifically configured to allow PBES2.
34 - Revert "Strip padding off base64 strings" (#82)
35 - The specs require base64url encoding without padding.
36 - Minimum supported Go version is now 1.21
37
38## Added
39
40 - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
41 - These allow parsing a specific serialization, as opposed to ParseSigned and
42 ParseEncrypted, which try to automatically detect which serialization was
43 provided. It's common to require a specific serialization for a specific
44 protocol - for instance JWT requires Compact serialization.
45
46[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
47
48# v3.0.3
49
50## Fixed
51
52 - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
53
54# v3.0.2
55
56## Fixed
57
58 - DecryptMulti: handle decompression error (#19)
59
60## Changed
61
62 - jwe/CompactSerialize: improve performance (#67)
63 - Increase the default number of PBKDF2 iterations to 600k (#48)
64 - Return the proper algorithm for ECDSA keys (#45)
65
66## Added
67
68 - Add Thumbprint support for opaque signers (#38)
69
70# v3.0.1
71
72## Fixed
73
74 - Security issue: an attacker specifying a large "p2c" value can cause
75 JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
76 amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
77 disclosure and to Tom Tervoort for originally publishing the category of attack.
78 https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
79
80# v2.6.3
81
82## Fixed
83
84 - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
View as plain text