Register | Log in

node-node-forge

JavaScript implementation of TLS and more - Node library

Choose email to subscribe with

general

source: node-node-forge (main)
version: 1.3.0~dfsg-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Jonas Smedegaard [DMD]
arch: all
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 0.8.1~dfsg-1
stable: 0.10.0~dfsg-3
testing: 1.3.0~dfsg-1
unstable: 1.3.0~dfsg-1

versioned links

0.8.1~dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.10.0~dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.0~dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libjs-node-forge
node-node-forge

action needed

A new upstream version is available: 1.3.1 high

A new upstream version 1.3.1 is available, you should consider packaging it.

Created: 2022-03-31 Last update: 2022-05-18 06:02

4 low-priority security issues in buster low

There are 4 open security issues in buster.

4 issues left for the package maintainer to handle:

CVE-2020-7720: (needs triaging) The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
CVE-2022-24771: (needs triaging) Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
CVE-2022-24772: (needs triaging) Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
CVE-2022-24773: (needs triaging) Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2022-03-28 07:05

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).

Created: 2022-05-11 Last update: 2022-05-11 23:24

news

[2022-03-28] node-node-forge 1.3.0~dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-03-23] Accepted node-node-forge 1.3.0~dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-02-14] node-node-forge 1.2.1~dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-02-08] Accepted node-node-forge 1.2.1~dfsg-2 (source) into unstable (Jonas Smedegaard)
[2022-02-08] Accepted node-node-forge 1.2.1~dfsg-1 (source) into unstable (Jonas Smedegaard)
[2022-02-08] Accepted node-node-forge 0.10.0~dfsg-4 (source) into unstable (Jonas Smedegaard)
[2020-12-08] node-node-forge 0.10.0~dfsg-3 MIGRATED to testing (Debian testing watch)
[2020-12-02] Accepted node-node-forge 0.10.0~dfsg-3 (source) into unstable (Jonas Smedegaard)
[2020-12-02] Accepted node-node-forge 0.10.0~dfsg-2 (source) into unstable (Jonas Smedegaard)
[2020-09-19] node-node-forge 0.10.0~dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-09-17] Accepted node-node-forge 0.10.0~dfsg-1 (source) into unstable (Jonas Smedegaard)
[2019-10-27] node-node-forge 0.9.1~dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-10-22] Accepted node-node-forge 0.9.1~dfsg-1 (source) into unstable (Jonas Smedegaard)
[2019-09-03] node-node-forge 0.8.5~dfsg-2 MIGRATED to testing (Debian testing watch)
[2019-08-28] Accepted node-node-forge 0.8.5~dfsg-2 (source) into unstable (Jonas Smedegaard)
[2019-07-17] node-node-forge 0.8.5~dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-07-15] Accepted node-node-forge 0.8.5~dfsg-1 (source) into unstable (Jonas Smedegaard)
[2019-03-09] node-node-forge 0.8.1~dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-02-26] Accepted node-node-forge 0.8.1~dfsg-1 (source) into unstable (Jonas Smedegaard)
[2019-01-15] node-node-forge 0.7.6~dfsg-2 MIGRATED to testing (Debian testing watch)
[2019-01-13] Accepted node-node-forge 0.7.6~dfsg-1 (source all) into unstable, unstable (Jonas Smedegaard)
[2019-01-13] Accepted node-node-forge 0.7.6~dfsg-2 (source all) into unstable, unstable (Jonas Smedegaard)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.2.1~dfsg-2

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing