Security Information / 2023 / Security Information -- DSA-5539-1 node-browserify-sign

Debian Security Advisory

DSA-5539-1 node-browserify-sign -- security update

Date Reported:

30 Oct 2023

Affected Packages:

node-browserify-sign

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 1054667.
In Mitre's CVE dictionary: CVE-2023-46234.

More information:

It was reported that incorrect bound checks in the dsaVerify function in node-browserify-sign, a Node.js library which adds crypto signing for browsers, allows an attacker to perform signature forgery attacks by constructing signatures that can be successfully verified by any public key.

For the oldstable distribution (bullseye), this problem has been fixed in version 4.2.1-1+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in version 4.2.1-3+deb12u1.

We recommend that you upgrade your node-browserify-sign packages.

For the detailed security status of node-browserify-sign please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-browserify-sign