Re: [NodeJS NPM] security concerns

To: debian-security@lists.debian.org
Subject: Re: [NodeJS NPM] security concerns
From: "Thijs Kinkhorst" <thijs@debian.org>
Date: Wed, 2 Oct 2013 07:54:31 +0200
Message-id: <[🔎] 1dc0c4db61ac2eac5e0238385f0cef2f.squirrel@aphrodite.kinkhorst.nl>
In-reply-to: <[🔎] CAPS+U98RwqSxwA+VCzDqW=u-ts0aK_Te9BjhwBLeb4_qTYkaXw@mail.gmail.com>
References: <[🔎] CAPS+U98RwqSxwA+VCzDqW=u-ts0aK_Te9BjhwBLeb4_qTYkaXw@mail.gmail.com>

Hi Pedro,

On Wed, October 2, 2013 00:57, Pedro Worcel wrote:
> NPM nodejs package manager doesn't check for https signatures comunicating
> with the central repo, which could give an attacker with MITM capabilities
> the possibility to execute code.
>
> The issue is here <https://github.com/isaacs/npm/issues/1204>.

Thanks for raising this here. I'm very much in agreement with the
submitter that this process should be secure, but can sympathize with
upstream who is annoyed by being told what to do and how to manage his
issue tracker. But of course, in the end it should be secure.

I'm not a node expert, but from the issue it seems that a patch was at
least committed two years ago that does some kind of certificate checking.

Perhaps best is if you file this as a bug in the Debian BTS, so it can be
discussed with the npm maintainers to see how to best approach this.

Cheers,
Thijs

Reply to:

References:
- [NodeJS NPM] security concerns
  - From: Pedro Worcel <pedro@worcel.com>

Prev by Date: [NodeJS NPM] security concerns
Next by Date: Re: [NodeJS NPM] security concerns
Previous by thread: [NodeJS NPM] security concerns
Next by thread: Re: [NodeJS NPM] security concerns
Index(es):
- Date
- Thread