Your message dated Sat, 04 Nov 2023 12:47:09 +0000
with message-id <e1qzg3r-001i7d...@fasolo.debian.org>
and subject line Bug#1054667: fixed in node-browserify-sign 4.2.1-3+deb12u1
has caused the Debian Bug report #1054667,
regarding node-browserify-sign: CVE-2023-46234
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1054667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054667
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-browserify-sign
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for node-browserify-sign.
CVE-2023-46234[0]:
| browserify-sign is a package to duplicate the functionality of
| node's crypto public key functions, much of this is based on Fedor
| Indutny's work on indutny/tls.js. An upper bound check issue in
| `dsaVerify` function allows an attacker to construct signatures that
| can be successfully verified by any public key, thus leading to a
| signature forgery attack. All places in this project that involve
| DSA verification of user-input signatures will be affected by this
| vulnerability. This issue has been patched in version 4.2.2.
https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46234
https://www.cve.org/CVERecord?id=CVE-2023-46234
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-browserify-sign
Source-Version: 4.2.1-3+deb12u1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-browserify-sign, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-browserify-sign package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Oct 2023 12:03:04 +0400
Source: node-browserify-sign
Binary: node-browserify-sign
Architecture: source all
Version: 4.2.1-3+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Description:
node-browserify-sign - adds node crypto signing for browsers
Closes: 1054667
Changes:
node-browserify-sign (4.2.1-3+deb12u1) bookworm-security; urgency=high
.
* Team upload
* Properly check the upper bound for DSA signatures (Closes: #1054667,
CVE-2023-46234)
Checksums-Sha1:
444d8e3740b840ad569b76a7c8f4d4befda9c1a8 2432
node-browserify-sign_4.2.1-3+deb12u1.dsc
37ca70e9e63c2cdb92bc38d86ea9edac8d3c96b9 80701
node-browserify-sign_4.2.1.orig.tar.gz
f9f5497b715190c4d44d272d8a4132ea48311719 14192
node-browserify-sign_4.2.1-3+deb12u1.debian.tar.xz
013c5ca46f08ced24ba586fefb0d236e69aea7da 6976
node-browserify-sign_4.2.1-3+deb12u1_all.deb
833d48cc732405cf549f9fa557f33bc54b27b91b 16403
node-browserify-sign_4.2.1-3+deb12u1_amd64.buildinfo
Checksums-Sha256:
b8ec0b68d7cea35687ecab83d79d121c43b50f5c385040040c77c8bbccae9d27 2432
node-browserify-sign_4.2.1-3+deb12u1.dsc
b01c1c04298b186409f3056cb26170dbb9e08dbb399182afd3a8bcbb1aa509c5 80701
node-browserify-sign_4.2.1.orig.tar.gz
463dda8ac25691fed0cf297a78d98bda5a8340b7e9b5aab022755624e31794db 14192
node-browserify-sign_4.2.1-3+deb12u1.debian.tar.xz
81bfd39756139f1af44018032d7fba7796deaa9d1276f4659ae37eccf838d4d3 6976
node-browserify-sign_4.2.1-3+deb12u1_all.deb
9b56447c0d919cffb870b25c53ee0b9a5fd9e3bbc5df6bd54d5d5f886236233b 16403
node-browserify-sign_4.2.1-3+deb12u1_amd64.buildinfo
Files:
5481c699fbd5489fb0da5962d5361a59 2432 javascript optional
node-browserify-sign_4.2.1-3+deb12u1.dsc
2ea291f5485de7542d6dc1bd9bcf2472 80701 javascript optional
node-browserify-sign_4.2.1.orig.tar.gz
a53d5f2ca4fe6e9f5ee2b173c6336cec 14192 javascript optional
node-browserify-sign_4.2.1-3+deb12u1.debian.tar.xz
f8529f6c380327a0720cb5f00d238915 6976 javascript optional
node-browserify-sign_4.2.1-3+deb12u1_all.deb
a339a50587bc454ab212caad51fee41a 16403 javascript optional
node-browserify-sign_4.2.1-3+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmU9zukACgkQ9tdMp8mZ
7un9tw/+IY3NwUqxn6/tqWp3eVrmkeJKNKyYBb+bxWF/kCuKoOpSOQIGgowvc9JF
m/ePK5VQ53KPnA96cTi496krtR7pqmsoEsCa+F5R+36K3sxL8Jgs2hV+QA1KZ2+c
5XO2pJTnn6HM/Z2pGb/UTdXkofS3ARxns49PhAV0Hz4HAqVLbg51H14wtIsbW5Aj
aohiR6tJ86B7BlFJjFE277Zs2AsqPW/2X8px6YMWHpSQPLyEpR+i/s6zgVLat7er
CRXD5y6aRKtKQYVvW4IQK7KjvuRTbaWQ3uT+aJqXbu2PzIKp+6rhxH9bsL+pnVhO
dgrvGF/6zIJ8lEaWf7XJY1StviXD6rU6R17M3uqY7bN8L7fOuqw/FWHFuSesgNvA
6DcY6R8QREfAwsO1ucFDdYEEesZ5mYqJagGr50pjdFfj2piYc9EdYSVRkwFJLwH0
9lc/9XpP5nLUFLJQruZ7CGfInYvHQcf12/eWnWtWlVAIh6N0hU3YMnsB4oQXlWOM
LL7nDANO5iJBPKrvrnKWYM/5EQQYPux5Kigl/dR6s+0PN7Z4QXDRoD/Pf/CtW+OV
3mJDPX4A3eFwkK3PoQRXD86rzzCA4dH4tR6hV9d2qlcL8gEWToUE5Xy60O4IJLFn
IMQEWLBHte7fptkrW1y/S/FxDIUbj/hfAJK9i86iDF49I9exG0o=
=dIER
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
