Debian Package Tracker
Register | Log in
Subscribe

node-node-forge

JavaScript implementation of TLS and more - Node library

Choose email to subscribe with

general
  • source: node-node-forge (main)
  • version: 1.3.0~dfsg-1
  • maintainer: Debian Javascript Maintainers (archive) (DMD)
  • uploaders: Jonas Smedegaard [DMD]
  • arch: all
  • std-ver: 4.6.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • oldstable: 0.8.1~dfsg-1
  • stable: 0.10.0~dfsg-3
  • testing: 1.3.0~dfsg-1
  • unstable: 1.3.0~dfsg-1
versioned links
  • 0.8.1~dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.10.0~dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.3.0~dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libjs-node-forge
  • node-node-forge
action needed
A new upstream version is available: 1.3.1 high
A new upstream version 1.3.1 is available, you should consider packaging it.
Created: 2022-03-31 Last update: 2022-05-18 06:02
4 low-priority security issues in buster low

There are 4 open security issues in buster.

4 issues left for the package maintainer to handle:
  • CVE-2020-7720: (needs triaging) The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
  • CVE-2022-24771: (needs triaging) Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
  • CVE-2022-24772: (needs triaging) Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
  • CVE-2022-24773: (needs triaging) Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

You can find information about how to handle these issues in the security team's documentation.

Created: 2021-02-19 Last update: 2022-03-28 07:05
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).
Created: 2022-05-11 Last update: 2022-05-11 23:24
news
[rss feed]
  • [2022-03-28] node-node-forge 1.3.0~dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2022-03-23] Accepted node-node-forge 1.3.0~dfsg-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
  • [2022-02-14] node-node-forge 1.2.1~dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2022-02-08] Accepted node-node-forge 1.2.1~dfsg-2 (source) into unstable (Jonas Smedegaard)
  • [2022-02-08] Accepted node-node-forge 1.2.1~dfsg-1 (source) into unstable (Jonas Smedegaard)
  • [2022-02-08] Accepted node-node-forge 0.10.0~dfsg-4 (source) into unstable (Jonas Smedegaard)
  • [2020-12-08] node-node-forge 0.10.0~dfsg-3 MIGRATED to testing (Debian testing watch)
  • [2020-12-02] Accepted node-node-forge 0.10.0~dfsg-3 (source) into unstable (Jonas Smedegaard)
  • [2020-12-02] Accepted node-node-forge 0.10.0~dfsg-2 (source) into unstable (Jonas Smedegaard)
  • [2020-09-19] node-node-forge 0.10.0~dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2020-09-17] Accepted node-node-forge 0.10.0~dfsg-1 (source) into unstable (Jonas Smedegaard)
  • [2019-10-27] node-node-forge 0.9.1~dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2019-10-22] Accepted node-node-forge 0.9.1~dfsg-1 (source) into unstable (Jonas Smedegaard)
  • [2019-09-03] node-node-forge 0.8.5~dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2019-08-28] Accepted node-node-forge 0.8.5~dfsg-2 (source) into unstable (Jonas Smedegaard)
  • [2019-07-17] node-node-forge 0.8.5~dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2019-07-15] Accepted node-node-forge 0.8.5~dfsg-1 (source) into unstable (Jonas Smedegaard)
  • [2019-03-09] node-node-forge 0.8.1~dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2019-02-26] Accepted node-node-forge 0.8.1~dfsg-1 (source) into unstable (Jonas Smedegaard)
  • [2019-01-15] node-node-forge 0.7.6~dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2019-01-13] Accepted node-node-forge 0.7.6~dfsg-1 (source all) into unstable, unstable (Jonas Smedegaard)
  • [2019-01-13] Accepted node-node-forge 0.7.6~dfsg-2 (source all) into unstable, unstable (Jonas Smedegaard)
bugs [bug history graph]
  • all: 1
  • RC: 0
  • I&N: 1
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, clang, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.2.1~dfsg-2

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing