Hi Yadd, On Sat, Oct 28, 2023 at 12:05:25PM +0400, Yadd wrote: > On 10/27/23 20:20, Moritz Mühlenhoff wrote: > > Source: node-browserify-sign > > X-Debbugs-CC: t...@security.debian.org > > Severity: grave > > Tags: security > > > > Hi, > > > > The following vulnerability was published for node-browserify-sign. > > > > CVE-2023-46234[0]: > > | browserify-sign is a package to duplicate the functionality of > > | node's crypto public key functions, much of this is based on Fedor > > | Indutny's work on indutny/tls.js. An upper bound check issue in > > | `dsaVerify` function allows an attacker to construct signatures that > > | can be successfully verified by any public key, thus leading to a > > | signature forgery attack. All places in this project that involve > > | DSA verification of user-input signatures will be affected by this > > | vulnerability. This issue has been patched in version 4.2.2. > > > > https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw > > https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30 > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-46234 > > https://www.cve.org/CVERecord?id=CVE-2023-46234 > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > please find attached the debdiff for Bookworm
Thanks looks good and think we can release a DSA for it. FTR, please wait next time for an ack first. Regards, Salvatore
