Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency jsrsasign to v10.5.27 - autoclosed #1485

Closed
wants to merge 1 commit into from
Closed

Update dependency jsrsasign to v10.5.27 - autoclosed #1485

wants to merge 1 commit into from

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented Jun 28, 2022
edited
Loading

This PR contains the following updates:

Package Type Update Change
jsrsasign (source) dependencies minor 10.3.0 -> 10.5.27

By merging this PR, the issue #1484 will be automatically resolved and closed:

Severity CVSS Score CVE
High High 9.8 CVE-2022-25898

Release Notes

kjur/jsrsasign

v10.5.27: extend CertificationRequestInfo class for challengePassword and unstructuredName

Compare Source

  • Changes from 10.5.26 to 10.5.27 (2022-Aug-19)
    • src/asn1csr.js
      • CertificationRequestInfo class
        • add support for challengePassword and unstructuredName (#​522)
        • "attrs" member support in constructure argument
    • test/qunit-do-asn1csr.html

v10.5.26: CSRUtil class enhancement

Compare Source

  • Changes from 10.5.25 to 10.5.26 (2022-Jul-14)
    • src/asn1csr.js
      • CSRUtil.verifySignature method added
      • CSRUtil.getParam enhanced to support optional argument flagTBS
    • test/qunit-do-asn1csr.html
      • update some test cases for above

v10.5.25: CVE-2022-25898 Security fix in JWS and JWT validation

Compare Source

  • Changes from 10.5.24 to 10.5.25 (2022-Jun-23)
    • src/jws.js
      • JWS.verify and JWS.verifyJWT
        • CVE-2022-25898 SECURITY FIX:
          verify and verifyJWT may accept signature with special characters
          or \number characters by mistake.
          Please see security advisory:
          GHSA-3fvg-4v2m-98jf
    • src/base64x.js
      • function isBase64URLDot added
    • test/qunit-do-jwt-veri.html

v10.5.24: X509.getParam bugfix for v1 certificate

Compare Source

  • Changes from 10.5.23 to 10.5.24 (2022-Jun-04)
    • src/x509.js
      • X509.getParam bugfix for X.509v1 certificate without extension

v10.5.23: BitString parsing bug fix

Compare Source

  • Changes from 10.5.22 to 10.5.23 (2022-May-27)
    • src/base64x.js
      • bitstrtobinstr bugfix fix
    • src/asn1hex.js
      • ASN1HEX.parse change for bin string range
    • npm/lib/footers.js
      • add missed exports (bitstrtobinstr, binstrtobitstr,
        namearraytobinstr, extendClass)
    • test/qunit-do-{asn1hex-parse,base64x}.html
      • add and fix some test cases for above

v10.5.22: DERBitString, KeyUsage and tsp PKIFailureInfo critical bug fix

Compare Source

  • Changes from 10.5.21 to 10.5.22 (2022-May-24)
    • src/asn1.js
      • DERBitString critical bugfix
    • src/asn1tsp.js
      • PKIFailureInfo critical bugfix
    • src/asn1x509.js
      • KeyUsage critical bugfix
    • src/base64.x
      • namearraytobinstr critical bugfix
    • test/qunit-do-{asn1,asn1tsp,asn1x509,base64x}.html
      • add and fix some test cases for above

v10.5.21

Compare Source

v10.5.20: OCSP ResponderID object udpate

Compare Source

  • Changes from 10.5.19 to 10.5.20 (2022-Apr-25)
    • src/asn1ocsp.js
      • ResponderID class now also supports PEM certificate or
        X509 object for key and name field.
    • test/qunit-do-asn1ocsp.html
      • add some test cases and fix for above
    • remove silver sponsor

v10.5.19: Time stamp package update

Compare Source

  • Changes from 10.5.18 to 10.5.19 (2022-Apr-23)
    • src/asn1tsp.js
      • TimeStampResp class update to statusinfo member
        will be optional. If omitted, it will be "granted" by default.
      • API manual update for more detail

v10.5.18: Time stamp package update

Compare Source

  • Changes from 10.5.17 to 10.5.18 (2022-Apr-22)
    • src/asn1tsp.js
      • TSPParser.getTimeStampReq added
      • TSPUtil.parse{TimeStampReq,MessageImprint} now DEPRECATED. Please use TSPParser.
    • test/qunit-do-asn1tsp.html
      • add some test cases and fix for above

v10.5.17: CIDR subnet mask support in iptohex and hextoip

Compare Source

  • Changes from 10.5.16 to 10.5.17 (2022-Apr-14)
    • src/asn1x509.js
      • add IP address support in NameConstraints class
      • bugfix in NameConstraints ip address
      • wrong ASN.1 encoder in NameConstraints class bug fix (wrong explicit tag)
    • src/base64x.js
      • add CIDR subnet mask support in iptohex and hextoip
      • iptohex, hextoip refactoring
    • test/qunit-do-{x509-ext,base64x,asn1x509-tbscert,asn1x509}.html
      • add some test cases and fix for above

v10.5.16: Add NameConstraints extension and modify getEncodedHex to tohex

Compare Source

  • Changes from 10.5.15 to 10.5.16 (2022-Apr-08)
    • src/asn1x509.js
      • NameConstraints and GeneralSubtree class added
      • add support for nameConstraints in Extensions class
      • remove old GeneralName code
    • src/x509.js
      • getExtNameConstraints and getGeneralSubbtree method added
      • add support for nameConstraints in getParam method
      • X509.getParam supports optional arguments:
        • tbshex: to return hexadecimal tbsCertificate value
        • nodnarray: delete array member of subject and issuer
          in the result.
    • src/x509crl.js
      • X509CRL.getParam supports optional arguments:
        • tbshex: to return hexadecimal tbsCertList value
        • nodnarray: delete array member of subject and issuer
          in the result.
    • src/asn1.js
      • ASN1Object.tohex() method added
      • ASN1Object.getEncodedHex() method is now DEPRECATED.
        Please use ASN1Object.tohex() instead.
      • clean up some codes
    • src/*.js
      • update for ASN1Object.tohex()
    • test/qunit-do-x509-ext.html
      • getExtNameConstraints and getGeneralSubtree method test added
    • test/qunit-do-asn1x509.html
      • NameConstraints and GeneralSubtree class test added
    • test/qunit-do-asn1-newobj.html
      • int and tag test refactoring
      • bugfix

v10.5.15: X509.getExtCRLDistributionPointsURI small fix

Compare Source

  • Changes from 10.5.14 to 10.5.15 (2022-Apr-06)
    • src/x509.js
      • fix X509.getExtCRLDistributionPointsURI. This returns
        undefined when no CDP extension as specified in document
        even though it is deprecated method.

v10.5.14: KEYUTIL.getPEM small fix

Compare Source

  • Changes from 10.5.13 to 10.5.14 (2022-Mar-28)
    • src/keyutil.js
      • fix KEYUTIL.getPEM when public key is not specified for ECDSA object.
        optional public key field will be omitted in such case. (#​549)
    • test/qunit-do-*.html
      • test case added for above updates.

v10.5.13: RSA key private generation fix

Compare Source

  • Changes from 10.5.12 to 10.5.13 (2022-Mar-18)
    • ext/rsa2.js
      • fix RSAGenerate for checking |p - q| (#​546)

v10.5.12: support ISO 8859-1 TeletexString and BMPString for X500Name

Compare Source

  • Changes from 10.5.11 to 10.5.12 (2022-Mar-13)
    • src/asn1hex.js
      • ASN1HEX.parse fixed for TeletexString and BMPString
      • ASN1HEX.parse TeletexString supports non-ASCII
        ISO 8859-1 Latin1 characters. Before this version,
        only supports ASCII characters.
      • hextoipv6 bug fix raised in some of enviroment
    • src/base64x.js
      • iso88591hextoutf8/utf8toiso88591hex added
      • iso88591hextoutf8hex/utf8hextoiso88591hex added
      • hextoipv6 fixed
    • src/x509.js
      • refactoring for X509.get{X500NameArray,RDN,AttrTypeAndValue}.
        Add support for Teletex/BMPString and more attrTypes
    • test/qunit-do-*.html
      • test case added for above updates.
        • qunit-do-base64x: add iso8859-1 / utf-8 converter tests
        • qunit-do-asn1hex-parse: add TeletexString parse tests
        • qunit-do-x509-ext: add NumericString/TeletexString X500Name tests

v10.5.11: asn1hex update

Compare Source

  • Changes from 10.5.10 to 10.5.11 (2022-Mar-12)
    • src/ash1hex.js
      • ASN1HEX.parse add NumericStiring(x12) support
      • ASN1HEX.parse fix for "8x" tag (non structured tag)
    • test/qunit-do-asn1hex.html
      • test case added for above updates.

v10.5.10: hextoipv6 fix

Compare Source

  • Changes from 10.5.9 to 10.5.10 (2022-Mar-10)
    • src/base64x.js
      • fix hextoipv6 for shrinking leading zeros (#​536)
    • test/qunit-do-base64x.html
      • test case added for above updates.

v10.5.9: small fix

Compare Source

  • Changes from 10.5.8 to 10.5.9 (2022-Mar-10)
    • src/base64x.js
    • src/asn1csr.js
    • test/qunit-do-{base64x,asn1csr}.html
      • test case update for above updates.

v10.5.8: OCSP CertID and X509 class update

Compare Source

  • Changes from 10.5.7 to 10.5.8 (2022-Feb-25)
    • src/asn1ocsp.js
      • CertID class refactoring
      • CertID.getParamByCerts method added
    • src/x509.js
      • DEPRECATED getPublicKeyHex method (use getSPKI instead)
      • getSPKI, getSPKIValue method added
      • getExtCRLDistributionPointsURI bugfix
      • API document fix
    • test/qunit-do-{asn1ocsp,x509-ext,x509,x509-v1}.html
      • test case update and bugfix for above updates.

v10.5.7: X509CRL.findRevCert bugfix for empty revCerts

Compare Source

  • Changes from 10.5.6 to 10.5.7 (2022-Feb-19)
    • src/x509crl.js
      • X509CRL.{findRevCert,findRevCertBySN} method fix for empty revCerts

v10.5.6: X509CRL.findRevCert bugfix

Compare Source

  • Changes from 10.5.5 to 10.5.6 (2022-Feb-17)
    • src/x509crl.js X509CRL class
      • fix sn error in findRevCert

v10.5.5: CRL parser update

Compare Source

  • Changes from 10.5.4 to 10.5.5 (2022-Feb-17)
    • src/x509crl.js X509CRL class
      • add getIssuerHex method
      • add findRevCert method
      • add findRevCertBySN method
    • test/x509crl.html update

v10.5.4: ASN.1 parser update and fix

Compare Source

  • Changes from 10.5.3 to 10.5.4 (2022-Feb-15)
    • src/asn1.js
      • DERTaggedObject
        • refactoring
        • add {tag: xx, str:"aaa"} parameter support
        • add {tag: xx, hex:"616161"} parameter support
        • setASN1Object method now deprecated. Please use setByParam
    • src/asn1hex.js
      • ASN1HEX.parse
        • add encapsulated OctetString, BitString support
        • add encapsulated structured TaggedObject support
        • changed to return binary string for 3byte or less BitString value
        • ObjectIdentifier fix when undefined OID name
    • src/base64x.js
      • added bitstrtobinstr/binstrtobitstr
      • utf8tohex fix for lower case hexadecimal string
      • hextoutf8 fix for improper hexadecimal string for UTF-8
      • bitstrtoint/inttobitstr fix for error case return
    • test/qunit-do-asn1.html
      • TaggedObject test case update
    • test/qunit-do-asn1hex-parse.html
      • BitString, TaggedObject test case update
    • test/qunit-do-base64x.html
      • hextoutf8/utf8tohex testcase update
      • bitstrtobinstr/binstrtobitstr testcase added

v10.5.3: add OtherName support in GeneralName

Compare Source

  • Changes from 10.5.2 to 10.5.3 (2022-Feb-10)
    • add otherName support in GeneralName by PR
      with small update (#​535)
    • src/asn1x509.js
      • add otherName of GeneralName support (#​535)
      • GeneralName class refactoring
      • add OtherName class
    • src/x509.js
      • add otherName of GeneralName support
    • src/asn1hex.js
      • add ASN1HEX.parse method
    • src/asn1.js
      • API doc and error exception fix
    • test/qunit-do-{asn1x509,x509-ext}.html
      • test case added
    • test/qunit-do-asn1hex-parse.html added

v10.5.2: small update for OID and JWK

Compare Source

  • Changes from 10.5.1 to 10.5.2 (2022-Feb-08)
    • src/asn1x509.js
      • add OID.{registerOIDs,checkOIDs} method
    • src/keyutil.js
      • getJWK, getJWKFromKey API doc update
    • test/qunit-do-asn1x509.html updated
      • test case added

v10.5.1: add KEYUTIL.getJWK, fix EC P-521 concat signature value and add support for P-521 JWS JWK

Compare Source

  • Changes from 10.5.0 to 10.5.1 (2021-Dec-01)
    • fix ECC P-521 curve issues (#​528)
      • src/ecdsa-modified.js
        • asn1SigToConcatSig fix P521 issue
        • concatSigToASN1Sig fix P521 issue
      • src/jws.js
        • add ES512 support
      • src/keyutil.js
        • fix P-521 issue in getKey,getJWKFromKey,
      • tool/tool_jwt.html
        • add ES512 support
      • test/qunit-do-ecdsamod-s.html
        • add P-521 asn1SigToConcatSig tests
        • add P-521 concatSigToASN1Sig tests
      • test/qunit-do-ecdsamod.html
        • add sha512 tests
      • test/qunit-do-jws-sign.html
        • add signing and verification ES512 test
      • test/qunit-do-keyutil-ec.html
        • add P-521 key test
      • test/qunit-do-keyutil-jwk.html
        • add P-521 private key test
      • test/qunit-do-x509-key.html
        • add P-521 certificate test
    • JWK from X509 certificate (#​529)
      • this PR was merged but
        • X509.getPublicKeyJWK was moved to KEYUTIL.getJWK
        • some tests in qunit-do-x509-jwk was moved to
          qunit-do-keyutil-jwk
        • readCertJWK was removed
    • src/keyutil
      • KEYUTIL.getJWK added and x5c/x5t/x5t#S256/kid member support
      • KEYUTIL.getJWKFromKey now deprecated
    • src/ecdsa-modified.js
      • missing variable definition fix (#​527)
    • test/qunit-do-x509.html test error fix
    • Great appreciate for @​cplussharp 's contribution.

v10.5.0: Add EC support for secp521r1 secp224r1 secp192r1

Compare Source

  • Changes from 10.4.1 to 10.5.0
    • Add EC support for secp521r1 secp224r1 secp192r1 (#​521 #​519)
      Thank you indeed for @​cplussharp 's great work.
      • EC key length bugs for newly supported curves are fixed.
        • src/ecdsa-modified: key length fixes
        • src/ecparam.js: add keycharlen property
        • src/asn1x509.js: add secp521r1 OID
        • test/qunit-do-ecdsamod.html: all test code passed
        • test/qunit-do-ecdsamod-unsupport.html: all test code passed
        • test/qunit-do-ecdsamod-s.html: all test code passed
        • test/qunit-do-ecdsamod-nisttv.html: added for NIST EC keygen test
        • sample/sample-ecdsa.html: add P-521
    • sample/sample-rsasign.html
      • fix to trim non hexadecimal strings (#​517)

v10.4.1: GeneralizedTime, UTCTime refactoring and some bug fix

Compare Source

  • Changes from 10.4.0 to 10.4.1 release
    • src/asn1.js
      • refactoring of DERUTCTime, DERGeneralizedTime and DERAbstractTime
      • now DERUTCTime support fraction of second
    • src/asn1x509.js
      • update Time class to follow DER{UTC,Generalized}Time update
    • tool/tool_tsreq.html
    • tool/tool_tsres.html
    • jsrsasign-*-min.js
      • header URL fix to kjur.github.io (#​503)
        (will be fixed in next release while rebuild)
    • test/qunit-do-{asn1,asn1x509}.html updated
      • KJUR.asn1.DER{UTC,Generalized}Time, KJUR.asn1.x509.Time class
        test case added and updated.

v10.4.0: Full support for parsing OCSP response

Compare Source

  • Changes from 10.3.2 to 10.4.0 (2021-08-17)
    • asn1ocsp.js
      • add OCSP response parser support in OCSPParser class (request #​501)
      • OCSPParser.get{OCSPResponse,ResponseBytes,BasicOCSPResponse,ResponseData,ResponderID,SingleResponseList,SingleResponse,CertStatus} methods added
      • DEPRECATED: OCSPUtil.getOCSPResponseInfo
    • test/qunit-do-asn1ocsp.html updated
      • add test for OCSP response parser

v10.3.2: fix wrong OCSPRequest for EC public key certificate

Compare Source

  • Changes from 10.3.1 to 10.3.2
    • asn1ocsp.js
      • CertID.setByCert fixed for issuer EC public key (#​500)
  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Jun 28, 2022
@mend-for-github-com
Copy link
Author

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
error @1.1.0: The engine "node" is incompatible with this module. Expected version ">= 12.0.0 < 15". Got "16.15.1"
error Found incompatible module.

@mend-for-github-com mend-for-github-com bot changed the title Update dependency jsrsasign to v10.5.25 chore(deps): update dependency jsrsasign to v10.5.25 Sep 29, 2022
@mend-for-github-com mend-for-github-com bot changed the title chore(deps): update dependency jsrsasign to v10.5.25 Update dependency jsrsasign to v10.5.25 Oct 24, 2022
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/jsrsasign-10.x-lockfile branch from e17db20 to 781e98d Compare November 6, 2022 03:31
@mend-for-github-com mend-for-github-com bot changed the title Update dependency jsrsasign to v10.5.25 Update dependency jsrsasign to v10.5.27 Nov 6, 2022
@mend-for-github-com mend-for-github-com bot changed the title Update dependency jsrsasign to v10.5.27 Update dependency jsrsasign to v10.5.27 - autoclosed Feb 20, 2024
@mend-for-github-com mend-for-github-com bot deleted the whitesource-remediate/jsrsasign-10.x-lockfile branch February 20, 2024 04:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants