[SECURITY] [DLA 3635-1] node-browserify-sign security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3635-1] node-browserify-sign security update
From: Xavier <yadd@debian.org>
Date: Sun, 29 Oct 2023 08:33:32 +0400
Message-id: <[🔎] 20231029043332.CAD8180844@m.xnr.fr>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3635-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                                 Yadd
October 29, 2023                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : node-browserify-sign
Version        : 4.0.4-2+deb10u1
CVE ID         : CVE-2023-46234
Debian Bug     : 1054667

An upper bound check issue in `dsaVerify` function has been discovered in
node-browserify-sign. This allows an attacker to construct signatures that
can be successfully verified by any public key, thus leading to a signature
forgery attack.

For Debian 10 buster, this problem has been fixed in version
4.0.4-2+deb10u1.

We recommend that you upgrade your node-browserify-sign packages.

For the detailed security status of node-browserify-sign please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-browserify-sign

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmU91PsSHHguZ3VpbWFy
ZEBmcmVlLmZyAAoJEPbXTKfJme7ppWwQAIdi0/jfbLyHLUgXY9ItHhe2egfqD+C1
4HrG3wNHmTStrExZWdBL5hKboiMVrrc3bGHDtABBC8GrCodaRLPSHeqi9OUNtvly
tRiFN4/aMv9od3ANh7mWq4plX355Mn4UywH9vO4J3sJeOq8hF4GD6T1IvpeBatbr
ZBnc+DKrrupKw1sMZ0UmoQvotmoPLzmwgdxkuh226+S/1MgEVvKvHG8gQ0gl5SZ3
NoU02Bwc8hrf5wrw2I1tYq8FPoMSyIHYQiPjG7XzE3flF5x1C8CltbmhIgBYFkjh
fRYV9ZfmWL4LUnznbJhuHEd+yUQYrklW3VLS/ttFz/VHZDa1DLxnYXRck4albOfN
f1IiNxGzLWj2HEQzpdYERXm0ZtUv2VmuO17V2npPO5TBy34Yd2qmgwI+SHf0eE7n
utGYhWErQVrzEka7RI2PXbzZVWzzEhx/nAqM6O2sMuuql/CNhNtyYGk85GuZOu4n
nBbpFQCr1iG2FCUpgtZd7ou6DYo0MiOlBH8eR/M21gRUPxZVxudDGB5eI9b6DbK6
Q+TG1QyR5WvIw+IHsMoobHjW16qmOr5QXY7Tw2TMc7QnKKNsaethBeyQ2NitGruW
iUXl9lDnEdCCMs53qyq7zD2Efyc8HzewBTsxIj2IZeH/ArMSL5RXnLcYNTiUEV9l
0icW9IEmlxHN
=w0we
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3634-1] nss security update
Next by Date: [SECURITY] [DLA 3636-1] openjdk-11 security update
Previous by thread: [SECURITY] [DLA 3634-1] nss security update
Next by thread: [SECURITY] [DLA 3636-1] openjdk-11 security update
Index(es):
- Date
- Thread