Comment # 2 on bug 1232951 from Alexandre Vicenzi 
Traefik does not have a direct dependency on github.com/golang-jwt/jwt/v4.

I have found the following uses:

JWT library is a dependency of github.com/Azure/go-autorest/autorest, which is
a dependency of go-acme/lego, which is a dependency of Traefik.

JWT library is a dependency of github.com/yandex-cloud/go-sdk, which is a
dependency of go-acme/lego, which is a dependency of Traefik.

In both cases, this should only affect users of Let's Encrypt certificate
resolver with Azure or Yander Cloud as a DNS challenge provider, but I did not
find any calls to jwt.Parse and jwt.ParseWithClaims in the files that use this
library.

Given the nature of this dependency, it might take a while until all
dependencies and sub-dependencies are updated in Traefik.

I could not find the affected code being used, it seems that this CVE does not
affect Traefik or its dependencies at this moment.

Given the low score of this CVE, this fix is not critical.

The version in the bug is set to Leap 15.5, Traefik is not even in Leap, only
in Tumbleweed.

You are receiving this mail because: