Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency node-forge to v1 [security] - abandoned #136

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency node-forge to v1 [security] - abandoned #136

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jan 15, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
node-forge 0.10.0 -> 1.3.0 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-5rrq-pxf6-6jx5

Impact

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Patches

The forge.debug API and related functions were removed in 1.0.0.

Workarounds

Don't use the forge.debug API directly or indirectly with untrusted input.

References

For more information

If you have any questions or comments about this advisory:

GHSA-gf8q-jrpm-jvxq

Impact

The regex used for the forge.util.parseUrl API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.

Patches

forge.util.parseUrl and other very old related URL APIs were removed in 1.0.0 in favor of letting applications use the more modern WHATWG URL Standard API.

Workarounds

Ensure code does not directly or indirectly call forge.util.parseUrl with untrusted input.

References

For more information

If you have any questions or comments about this advisory:

CVE-2022-0122

parseUrl functionality in node-forge mishandles certain uses of backslash such as https:///\ and interprets the URI as a relative path.

CVE-2022-24772

Impact

RSA PKCS#​1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.

Patches

The issue has been addressed in node-forge 1.3.0.

References

For more information, please see
"Bleichenbacher's RSA signature forgery based on implementation error"
by Hal Finney.

For more information

If you have any questions or comments about this advisory:

CVE-2022-24771

Impact

RSA PKCS#​1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#​1 encoded message to forge a signature when a low public exponent is being used.

Patches

The issue has been addressed in node-forge 1.3.0.

References

For more information, please see
"Bleichenbacher's RSA signature forgery based on implementation error"
by Hal Finney.

For more information

If you have any questions or comments about this advisory:

CVE-2022-24773

Impact

RSA PKCS#​1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

Patches

The issue has been addressed in node-forge 1.3.0.

For more information

If you have any questions or comments about this advisory:

Release Notes

digitalbazaar/forge

v1.3.0

Compare Source

Security
Fixed
  • [asn1] Add fallback to pretty print invalid UTF8 data.
  • [asn1] fromDer is now more strict and will default to ensuring all input
    bytes are parsed or throw an error. A new option parseAllBytes can disable
    this behavior.
    • NOTE: The previous behavior is being changed since it can lead to
      security issues with crafted inputs. It is possible that code doing custom
      DER parsing may need to adapt to this new behavior and optional flag.
  • [rsa] Add and use a validator to check for proper structure of parsed ASN.1
    RSASSA-PKCS-v1_5 DigestInfo data. Additionally check that the hash
    algorithm identifier is a known value from RFC 8017
    PKCS1-v1-5DigestAlgorithms. An invalid DigestInfo or algorithm identifier
    will now throw an error.
    • NOTE: The previous lenient behavior is being changed to be more strict
      since it could lead to security issues with crafted inputs. It is possible
      that code may have to handle the errors from these stricter checks.
Added
  • [oid] Added missing RFC 8017 PKCS1-v1-5DigestAlgorithms algorithm
    identifiers:
    • 1.2.840.113549.2.2 / md2
    • 2.16.840.1.101.3.4.2.4 / sha224
    • 2.16.840.1.101.3.4.2.5 / sha512-224
    • 2.16.840.1.101.3.4.2.6 / sha512-256

v1.2.1

Compare Source

Fixed
  • [tests]: Load entire module to improve top-level testing and coverage
    reporting.
  • [log]: Refactor logging setup to avoid use of URLSearchParams.

v1.2.0

Compare Source

Fixed
  • [x509] 'Expected' and 'Actual' issuers were backwards in verification failure
    message.
Added
  • [oid,x509]: Added OID 1.3.14.3.2.29 / sha1WithRSASignature for sha1 with
    RSA. Considered a deprecated equivalent to 1.2.840.113549.1.1.5 / sha1WithRSAEncryption. See discussion and
    links    .
Changed
  • [x509]: Reduce duplicate code. Add helper function to create a signature
    digest given an signature algorithm OID. Add helper function to verify
    signatures.

v1.1.0

Compare Source

Fixed
  • [x509]: Correctly compute certificate issuer and subject hashes to match
    behavior of openssl.
  • [pem]: Accept certificate requests with "NEW" in the label. "BEGIN NEW
    CERTIFICATE REQUEST" handled as "BEGIN CERTIFICATE REQUEST".

v1.0.0

Compare Source

Notes
  • 1.0.0!
  • This project is over a decade old! Time for a 1.0.0 release.
  • The URL related changes may expose bugs in some of the networking related
    code (unrelated to the much wider used cryptography code). The automated and
    manual test coverage for this code is weak at best. Issues or patches to
    update the code or tests would be appreciated.
Removed
  • SECURITY, BREAKING: Remove forge.debug API. The API has the
    potential for prototype pollution. This API was only briefly used by the
    maintainers for internal project debug purposes and was never intended to be
    used with untrusted user inputs. This API was not documented or advertised
    and is being removed rather than fixed.
  • SECURITY, BREAKING: Remove forge.util.parseUrl() (and
    forge.http.parseUrl alias) and use the WHATWG URL
    Standard    . URL is supported by modern browers
    and modern Node.js. This change is needed to address URL parsing security
    issues. If forge.util.parseUrl() is used directly or through forge.xhr or
    forge.http APIs, and support is needed for environments without URL
    support, then a polyfill must be used.
  • BREAKING: Remove forge.task API. This API was never used, documented,
    or advertised by the maintainers. If anyone was using this API and wishes to
    continue development it in other project, please let the maintainers know.
    Due to use in the test suite, a modified version is located in
    tests/support/.
  • BREAKING: Remove forge.util.makeLink, forge.util.makeRequest,
    forge.util.parseFragment, forge.util.getQueryVariables. Replace with
    URL, URLSearchParams, and custom code as needed.
Changed
  • BREAKING: Increase supported Node.js version to 6.13.0 for URL support.
  • BREAKING: Renamed master branch to main.
  • BREAKING: Release process updated to use tooling that prefixes versions
    with v. Other tools, scripts, or scanners may need to adapt.
  • BREAKING: Remove docs related to Bower and
    forge-dist. Install using
    another method.
Added
  • OIDs for surname, title, and givenName.
Fixed
  • BREAKING: OID 2.5.4.5 name fixed from serialName to serialNumber.
    Depending on how applications used this id to name association it could cause
    compatibility issues.

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the renovate label Jan 15, 2022
@renovate renovate bot force-pushed the renovate/npm-node-forge-vulnerability branch from 83d3040 to 6c2d846 Compare March 26, 2022 15:56
@renovate
Copy link
Author

renovate bot commented Mar 24, 2023
edited
Loading

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate Renovate
Copy link
Author

renovate bot commented Dec 8, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

@renovate renovate bot changed the title chore(deps): update dependency node-forge to v1 [security] chore(deps): update dependency node-forge to v1 [security] - abandoned Dec 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot