Hi Brian, On Tue, Dec 01, 2020 at 09:01:37AM +1100, Brian May wrote: > I note this package - golang-github-dgrijalva-jwt-go - has been marked > as vulnerable to CVE-2020-26160 in both Debian stretch and buster. > > https://security-tracker.debian.org/tracker/CVE-2020-26160 > > But I can't find any code in these versions that even mentions the > aud/audience fields. > > So I plan to mark these versions as not vulnerable.
Were you able to track down in which version the vulnerability was introduced? Regards, Salvatore
