Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency node-forge to v1.3.0 [security] #20727

Merged
merged 1 commit into from
Mar 23, 2022
Merged

fix(deps): update dependency node-forge to v1.3.0 [security] #20727

merged 1 commit into from
Mar 23, 2022
+6 −6

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 22, 2022

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
node-forge 1.0.0 -> 1.3.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-24771

Impact

RSA PKCS#​1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#​1 encoded message to forge a signature when a low public exponent is being used.

Patches

The issue has been addressed in node-forge 1.3.0.

References

For more information, please see
"Bleichenbacher's RSA signature forgery based on implementation error"
by Hal Finney.

For more information

If you have any questions or comments about this advisory:

CVE-2022-24772

Impact

RSA PKCS#​1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.

Patches

The issue has been addressed in node-forge 1.3.0.

References

For more information, please see
"Bleichenbacher's RSA signature forgery based on implementation error"
by Hal Finney.

For more information

If you have any questions or comments about this advisory:

CVE-2022-24773

Impact

RSA PKCS#​1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

Patches

The issue has been addressed in node-forge 1.3.0.

For more information

If you have any questions or comments about this advisory:

Release Notes

digitalbazaar/forge

v1.3.0

Compare Source

Security
Fixed
  • [asn1] Add fallback to pretty print invalid UTF8 data.
  • [asn1] fromDer is now more strict and will default to ensuring all input
    bytes are parsed or throw an error. A new option parseAllBytes can disable
    this behavior.
    • NOTE: The previous behavior is being changed since it can lead to
      security issues with crafted inputs. It is possible that code doing custom
      DER parsing may need to adapt to this new behavior and optional flag.
  • [rsa] Add and use a validator to check for proper structure of parsed ASN.1
    RSASSA-PKCS-v1_5 DigestInfo data. Additionally check that the hash
    algorithm identifier is a known value from RFC 8017
    PKCS1-v1-5DigestAlgorithms. An invalid DigestInfo or algorithm identifier
    will now throw an error.
    • NOTE: The previous lenient behavior is being changed to be more strict
      since it could lead to security issues with crafted inputs. It is possible
      that code may have to handle the errors from these stricter checks.
Added
  • [oid] Added missing RFC 8017 PKCS1-v1-5DigestAlgorithms algorithm
    identifiers:
    • 1.2.840.113549.2.2 / md2
    • 2.16.840.1.101.3.4.2.4 / sha224
    • 2.16.840.1.101.3.4.2.5 / sha512-224
    • 2.16.840.1.101.3.4.2.6 / sha512-256

v1.2.1

Compare Source

Fixed
  • [tests]: Load entire module to improve top-level testing and coverage
    reporting.
  • [log]: Refactor logging setup to avoid use of URLSearchParams.

v1.2.0

Compare Source

Fixed
  • [x509] 'Expected' and 'Actual' issuers were backwards in verification failure
    message.
Added
  • [oid,x509]: Added OID 1.3.14.3.2.29 / sha1WithRSASignature for sha1 with
    RSA. Considered a deprecated equivalent to 1.2.840.113549.1.1.5 / sha1WithRSAEncryption. See discussion and
    links    .
Changed
  • [x509]: Reduce duplicate code. Add helper function to create a signature
    digest given an signature algorithm OID. Add helper function to verify
    signatures.

v1.1.0

Compare Source

Fixed
  • [x509]: Correctly compute certificate issuer and subject hashes to match
    behavior of openssl.
  • [pem]: Accept certificate requests with "NEW" in the label. "BEGIN NEW
    CERTIFICATE REQUEST" handled as "BEGIN CERTIFICATE REQUEST".

Configuration

📅 Schedule: "" in timezone America/New_York.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

Sorry, something went wrong.

@renovate renovate bot requested a review from a team as a code owner March 22, 2022 13:50
@renovate renovate bot requested review from rockhold and removed request for a team March 22, 2022 13:50
@renovate renovate bot added renovate Triggered by renovatebot type: dependencies labels Mar 22, 2022
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Mar 22, 2022

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.

@cypress
Copy link

cypress bot commented Mar 22, 2022
edited
Loading


Test summary

19343 0 218 0Flakiness 2

Run details
Project cypress
Status Passed
Commit fe63e9d
Started Mar 22, 2022 10:18 PM
Ended Mar 22, 2022 10:30 PM
Duration 12:10 💡
OS Linux Debian - 10.10
Browser Multiple

View run in Cypress Dashboard ➡️

Flakiness

reporter.hooks.spec.js Flakiness
1 hooks > can rerun without timeout error leaking into next run (due to run restart)
cypress/proxy-logging_spec.ts Flakiness
1 Proxy Logging > request logging > xhr log has response body/status code when xhr response is logged second

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

emilyrohrbough
emilyrohrbough previously approved these changes Mar 22, 2022
View reviewed changes
@renovate-bot
fix(deps): update dependency node-forge to v1.3.0 [security]

Verified

This commit was signed with the committer’s verified signature.
renovate-bot Mend Renovate
GPG key ID: 81C63AE1C224182B
Verified
Learn about vigilant mode
fe63e9d
@renovate renovate bot force-pushed the renovate/npm-node-forge-vulnerability branch from 4aecab4 to fe63e9d Compare March 22, 2022 22:13
@emilyrohrbough emilyrohrbough merged commit 3dc03a3 into develop Mar 23, 2022
@emilyrohrbough emilyrohrbough deleted the renovate/npm-node-forge-vulnerability branch March 23, 2022 14:04
@cypress-bot
Copy link
Contributor

cypress-bot bot commented Mar 28, 2022

Released in 9.5.3.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v9.5.3, please open a new issue.

@cypress-bot cypress-bot bot locked as resolved and limited conversation to collaborators Mar 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@emilyrohrbough emilyrohrbough

@rockhold rockhold

Assignees
No one assigned
Labels
renovate Triggered by renovatebot type: dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@emilyrohrbough @renovate-bot