Date: Tue, 17 Mar 2015 09:13:35 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 198653] [www/npm] [SECURITY] Security advisory added due to unauthenticated downloads performed by NPM Message-ID: <bug-198653-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198653 Bug ID: 198653 Summary: [www/npm] [SECURITY] Security advisory added due to unauthenticated downloads performed by NPM Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: sunpoet@FreeBSD.org Reporter: yuri@rawbw.com Assignee: sunpoet@FreeBSD.org Flags: maintainer-feedback?(sunpoet@FreeBSD.org) Created attachment 154447 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=154447&action=edit patch NPM doesn't currently support package authentication, therefore subjecting users to the possibility of MITM attacks. For reference see this discussion here https://github.com/node-forward/discussions/issues/29 Additionally, npm allows to download GitHub projects without any verification in direct from developer to user system fashion, see https://docs.npmjs.com/cli/install Patch adds security advisories as pkg-message -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-198653-13>