Bug#1008154: buster-pu: package node-node-forge/0.8.1~dfsg-1+deb10u1

To: Yadd <yadd@debian.org>, 1008154@bugs.debian.org
Subject: Bug#1008154: buster-pu: package node-node-forge/0.8.1~dfsg-1+deb10u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Fri, 05 Aug 2022 19:44:43 +0100
Message-id: <[🔎] af75bfcef322117b9004319d26a0b86bcba9fa94.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1008154@bugs.debian.org
In-reply-to: <164803138484.956104.3949132677709769484.reportbug@debian007.xnr.fr>
References: <164803138484.956104.3949132677709769484.reportbug@debian007.xnr.fr> <164803138484.956104.3949132677709769484.reportbug@debian007.xnr.fr>

Control: tags -1 + confirmed

On Wed, 2022-03-23 at 11:29 +0100, Yadd wrote:
> node-node-forge signature verification code is lenient in checking
> the digest
> algorithm structure. This can allow a crafted structure that steals
> padding
> bytes and uses unchecked portion of the PKCS#1 encoded message to
> forge a
> signature when a low public exponent is being used. The issue has
> been
> addressed in `node-forge` version 1.3.0.
> 

Please go ahead; sorry for the delay.

Regards,

Adam

Reply to:

Prev by Date: Processed: Re: Bug#1008154: buster-pu: package node-node-forge/0.8.1~dfsg-1+deb10u1
Next by Date: Bug#1008163: buster-pu: package node-minimist/1.2.0-1+deb10u2
Previous by thread: Bug#1009076: buster-pu: minidlna/1.2.1+dfsg-2+deb10u3
Next by thread: Processed: Re: Bug#1008154: buster-pu: package node-node-forge/0.8.1~dfsg-1+deb10u1
Index(es):
- Date
- Thread