Your message dated Sat, 04 Nov 2023 12:48:27 +0000 with message-id <e1qzg4h-001ijw...@fasolo.debian.org> and subject line Bug#1054667: fixed in node-browserify-sign 4.2.1-1+deb11u1 has caused the Debian Bug report #1054667, regarding node-browserify-sign: CVE-2023-46234 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054667 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: node-browserify-sign X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for node-browserify-sign. CVE-2023-46234[0]: | browserify-sign is a package to duplicate the functionality of | node's crypto public key functions, much of this is based on Fedor | Indutny's work on indutny/tls.js. An upper bound check issue in | `dsaVerify` function allows an attacker to construct signatures that | can be successfully verified by any public key, thus leading to a | signature forgery attack. All places in this project that involve | DSA verification of user-input signatures will be affected by this | vulnerability. This issue has been patched in version 4.2.2. https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46234 https://www.cve.org/CVERecord?id=CVE-2023-46234 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: node-browserify-sign Source-Version: 4.2.1-1+deb11u1 Done: Yadd <y...@debian.org> We believe that the bug you reported is fixed in the latest version of node-browserify-sign, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd <y...@debian.org> (supplier of updated node-browserify-sign package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 30 Oct 2023 06:52:31 +0400 Source: node-browserify-sign Binary: node-browserify-sign Architecture: source all Version: 4.2.1-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Yadd <y...@debian.org> Description: node-browserify-sign - adds node crypto signing for browsers Closes: 1054667 Changes: node-browserify-sign (4.2.1-1+deb11u1) bullseye-security; urgency=high . * Team upload * Properly check the upper bound for DSA signatures (Closes: #1054667, CVE-2023-46234) Checksums-Sha1: 077827db0dfbc74f8e676eee9eabd9c79c9bedda 2429 node-browserify-sign_4.2.1-1+deb11u1.dsc 37ca70e9e63c2cdb92bc38d86ea9edac8d3c96b9 80701 node-browserify-sign_4.2.1.orig.tar.gz ba6401695afe8d449a629717b510e1a316a3c54e 3648 node-browserify-sign_4.2.1-1+deb11u1.debian.tar.xz 833ada12d661d562ea9af81dfab0424bc43be9ac 6700 node-browserify-sign_4.2.1-1+deb11u1_all.deb 1f198d561da1f9c5aa8c26747f29103f3f184b89 9438 node-browserify-sign_4.2.1-1+deb11u1_amd64.buildinfo Checksums-Sha256: f039d89d7d48ee479c537d7d245fc88063d62fef7bb91c561905eb37c721b24b 2429 node-browserify-sign_4.2.1-1+deb11u1.dsc b01c1c04298b186409f3056cb26170dbb9e08dbb399182afd3a8bcbb1aa509c5 80701 node-browserify-sign_4.2.1.orig.tar.gz 78633da3201c1a043f7bd4515d243368c86982bee99617928b6ce8636d4476b7 3648 node-browserify-sign_4.2.1-1+deb11u1.debian.tar.xz ebace15e67a7d11c770f6711d1f77e93b70f1f1800086a497cb9ea2990fbc58b 6700 node-browserify-sign_4.2.1-1+deb11u1_all.deb 7e3a78702dcffe035e44d7c9cbbad0d6bb191380af531c84e1c20ad047c5b192 9438 node-browserify-sign_4.2.1-1+deb11u1_amd64.buildinfo Files: 84f213c5e0a910e6cb720c2c1c845f3e 2429 javascript optional node-browserify-sign_4.2.1-1+deb11u1.dsc 2ea291f5485de7542d6dc1bd9bcf2472 80701 javascript optional node-browserify-sign_4.2.1.orig.tar.gz 203d4cd9fee3c0539f56f402ca50ac75 3648 javascript optional node-browserify-sign_4.2.1-1+deb11u1.debian.tar.xz c983f3cf683c28afbc05ef94d1cb1e59 6700 javascript optional node-browserify-sign_4.2.1-1+deb11u1_all.deb b8693920d66bcd633c9bb497f0fa5570 9438 javascript optional node-browserify-sign_4.2.1-1+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmU/HcgACgkQ9tdMp8mZ 7um9GQ//ZOtWpFMpQ2aweMW+johvZm4eo2d1vgDC3DxY44sfx2TkUI7PTpD1N3qc V3H3FiYqXZ2cyXW33CQDJM4myuGtaK7Y0AQUztrHx81CKE/Ci9vSe1G2/8m0Idcl +PwlQB1Z0yR7LhSoqWYSxNGdNaemaHaKyd+74ATLOLHdF252YEjDIf442MlNccUU 3r8J14iQtJVP39OSUREje1jxD9GO7xFnIIK76gKRmAQJZ+h9mA8uylvj7dwIR0JW RbIrpplBtq1sZFXWi9cY3rXjK1t3Y2txxrKy1o2scnQa3jgcggWZ0v9MQUXuj2pM ONb+mynUqQH34cVXDlfQNZMfKz4H4LqxbGFwrfztmaUN7/KhQYXTxsdGqp/FJTyD pph4wQUKApc6u/N+RBJmeTxB/+Z+0TWY1LWZpbNFKCqIlBTxnNm8+rvSDGMWDTjk Bi1pA6NIu63do6VtoDiubJ17dSX4tDoJV/C6jqZZxaG9il15L4iopwvgt7wZZT06 8+maBCUN5ZzfBO1wuBXucf2Arqf7VIiWxPitLvOgq6ZqjwkeE4kYMltTi+cmzb4i Btt3wP8uPPRr/86/RVvIHu23V7+nvv6WYJNZp2zms+qJfp2nOk/qCieK7wRxkO0n b2d4RiEZt3N0Zhl8odBY8HhvHROAtqo8QO0GXJhxsDjLaZI9yjc= =de1T -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
