Hi,
this bug is still unfixed even if patch is trivial. Here is a template
for an updatediff --git a/debian/changelog b/debian/changelog
index 558cbac..849d0f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cryptojs (3.1.2+dfsg-3+deb12u1) bookworm-security; urgency=medium
+
+ * Change default hash algorithm and iteration's for PBKDF2
+ (Closes: #1055525)
+
+ -- Yadd <y...@debian.org> Thu, 16 Nov 2023 10:53:45 +0400
+
cryptojs (3.1.2+dfsg-3) unstable; urgency=medium
* Add upstream metadata.
diff --git a/debian/patches/CVE-2023-46233.patch
b/debian/patches/CVE-2023-46233.patch
new file mode 100644
index 0000000..c321f49
--- /dev/null
+++ b/debian/patches/CVE-2023-46233.patch
@@ -0,0 +1,38 @@
+Description: Change default hash algorithm and iteration's for PBKDF2
+ to prevent weak security by using the default configuration
+Author: evanvosberg <evanvosb...@urban.to>
+Origin: upstream, https://github.com/brix/crypto-js/commit/421dd538
+Bug: https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
+Bug-Debian: https://bugs.debian.org/1055525
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-11-16
+
+--- a/components/pbkdf2.js
++++ b/components/pbkdf2.js
+@@ -11,7 +11,7 @@
+ var Base = C_lib.Base;
+ var WordArray = C_lib.WordArray;
+ var C_algo = C.algo;
+- var SHA1 = C_algo.SHA1;
++ var SHA256 = C_algo.SHA256;
+ var HMAC = C_algo.HMAC;
+
+ /**
+@@ -22,13 +22,13 @@
+ * Configuration options.
+ *
+ * @property {number} keySize The key size in words to generate.
Default: 4 (128 bits)
+- * @property {Hasher} hasher The hasher to use. Default: SHA1
++ * @property {Hasher} hasher The hasher to use. Default: SHA256
+ * @property {number} iterations The number of iterations to perform.
Default: 1
+ */
+ cfg: Base.extend({
+ keySize: 128/32,
+- hasher: SHA1,
+- iterations: 1
++ hasher: SHA256,
++ iterations: 250000
+ }),
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4fdeacb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-46233.patch