The latest ekuiper v.1.14.2 has a high severity vulnerability [CVE-2024-28180]

[mark-miller-dev]

The latest Ekuiper version v.1.14.2 has a high severity vulnerability [CVE-2024-28180] [gopkg.in/square/go-jose.v2] [v2.6.0]
which is release blocker for our project.
The recommended fixed version >=2.6.3 ("This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3."(c))
E.g, the resource - https://github.com/go-jose/go-jose/tree/v2.6.3,
the dependency - github.com/go-jose/go-jose/v2 v2.6.3

Could you please make this upgrade in the Ekuiper's go.mod?

Thanks,Mark

[Yisaer]

Hi @mark-miller-dev :

ekuiper introduced gopkg.in/square/go-jose.v2 v2.6.0 // indirect by github.com/openziti/sdk-golang v0.23.37, so we need the latest github.com/openziti/sdk-golang upgrade go-jose to v2.6.3

[OlgasAcc]

Hi @mark-miller-dev, @Yisaer,
I see the corresponding PR is already open in openziti's repo a 2 weeks ago: zitadel/oidc#630 for the issue openziti/sdk-golang#607, but still not merged

[mark-miller-dev]

Fixed! thanks, guys