Your message dated Sat, 28 Oct 2023 08:26:31 +0000
with message-id <e1qween-00g520...@fasolo.debian.org>
and subject line Bug#1054667: fixed in node-browserify-sign 4.2.2-1
has caused the Debian Bug report #1054667,
regarding node-browserify-sign: CVE-2023-46234
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1054667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054667
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-browserify-sign
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for node-browserify-sign.
CVE-2023-46234[0]:
| browserify-sign is a package to duplicate the functionality of
| node's crypto public key functions, much of this is based on Fedor
| Indutny's work on indutny/tls.js. An upper bound check issue in
| `dsaVerify` function allows an attacker to construct signatures that
| can be successfully verified by any public key, thus leading to a
| signature forgery attack. All places in this project that involve
| DSA verification of user-input signatures will be affected by this
| vulnerability. This issue has been patched in version 4.2.2.
https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-46234
https://www.cve.org/CVERecord?id=CVE-2023-46234
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-browserify-sign
Source-Version: 4.2.2-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-browserify-sign, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-browserify-sign package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Oct 2023 11:42:53 +0400
Source: node-browserify-sign
Architecture: source
Version: 4.2.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1054667
Changes:
node-browserify-sign (4.2.2-1) unstable; urgency=medium
.
* Team upload
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse
* Update standards version to 4.6.2, no changes needed.
* New upstream version (Closes: #1054667, CVE-2023-46234)
Checksums-Sha1:
33f2ca725adbeb73b7ea18a2fffbc7866c397cc5 2400 node-browserify-sign_4.2.2-1.dsc
bfba0b2bcf30aaba0b07b68674f535db52520b25 51845
node-browserify-sign_4.2.2.orig.tar.gz
0ded72fd0711c3630335328062d8f11c3d26515f 13404
node-browserify-sign_4.2.2-1.debian.tar.xz
Checksums-Sha256:
b06818e4551fdbdc7c9b26569e7567fb4c73cc8190c80ce42b28f777fe24d640 2400
node-browserify-sign_4.2.2-1.dsc
fa259d49add790b83b11d007fdf6062d80d48574c0398343cb681519732bada4 51845
node-browserify-sign_4.2.2.orig.tar.gz
15c86a2b15069a8ffd141c48dabc368006bf5e9314740944e3df77d3543f3ba2 13404
node-browserify-sign_4.2.2-1.debian.tar.xz
Files:
980aac7b685214802d6b9efac51cc1cd 2400 javascript optional
node-browserify-sign_4.2.2-1.dsc
0e7632b7766315ab8e79ff9eb8019a75 51845 javascript optional
node-browserify-sign_4.2.2.orig.tar.gz
94ba0c5a385cd2ad25102ed4e89f2430 13404 javascript optional
node-browserify-sign_4.2.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmU8u7UACgkQ9tdMp8mZ
7unXuw//e3Jn8xhEwwOjKbEFYw0Q8/XUP/kxdCKG+pYvM14yQPsL0hf8WCzLn6y2
DkA3aXXlCqLrAiMf7Wx5qJ8sTD8/2TdrWZAHCI09QseEnw3KN31f2wwq2d5+Zltp
9nRp/i5b75SNln2o3khzo94MvSxs9V09Hp1+wRf/1VEnDDWHb/MWGfrl+6+z853Z
XEm7GQ1oiMWAl/KxJsCgMqyVp/8vuWNygLILjXJgsqh/F11FWllqayQjkak7iXEc
fbnTaErUs+4+h/BnNqEcEpWZdNOyXqK9/TvjIbAolgYg0jjJ/QEcQWRl/DjkdtFG
6csEhuJw8K5OZAHJBaIOW4YNvgRhjayBbcnLkahXUw2opxiWkjejnkjG36uBrSrq
29B7hb4n1SVB7Z99Tn0njenirEfp1Rp8ibeme4dfJ2W2aMTCm2o5NADXf2dEnfdU
m1PoAM0LRcMOOWDjW1I6L+CONzDs59XysvD6SeYFIkd6DeKQgIiitiK6l/r7o664
AmlDL4czADsB6E/y20LYokXjDd6RnyW/u5Znni8njwLt5mR+kTfs8n3XY1OJ9BMS
mw+WJi3NNbzNFXX9vsxykukNSrIQfijiVsV8B/vfvi6ci6jHgsyyTRwfGJ0Dv8NT
ePUixL7bL69/9w6z02gHIBUxTf8r6dmnIvut1gdyvPo2kADoFw0=
=RzK6
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
