cheeriogs
cheeriogs copied to clipboard
tani
Update dependency node-forge to 1.0.0 [SECURITY] - abandoned
This PR contains the following updates:
| Package | Change |
|---|---|
| node-forge | 1.2.1 -> 1.3.0 |
GitHub Vulnerability Alerts
CVE-2022-24771
Impact
RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.
Patches
The issue has been addressed in node-forge 1.3.0.
References
For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
For more information
If you have any questions or comments about this advisory:
- Open an issue in forge
- Email us at example email address
CVE-2022-24772
Impact
RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.
Patches
The issue has been addressed in node-forge 1.3.0.
References
For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
For more information
If you have any questions or comments about this advisory:
- Open an issue in forge
- Email us at example email address
CVE-2022-24773
Impact
RSA PKCS#1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
Patches
The issue has been addressed in node-forge 1.3.0.
For more information
If you have any questions or comments about this advisory:
- Open an issue in forge
- Email us at example email address
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled due to failing status checks.
♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, click this checkbox. ⚠ Warning: custom changes will be lost.
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Autoclosing Skipped
This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.