Your message dated Thu, 16 Nov 2023 18:34:00 +0000 with message-id <e1r3hbg-0095bc...@fasolo.debian.org> and subject line Bug#1055525: fixed in cryptojs 3.1.2+dfsg-4 has caused the Debian Bug report #1055525, regarding cryptojs: CVE-2023-46233 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1055525: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055525 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cryptojs Version: 3.1.2+dfsg-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for cryptojs. CVE-2023-46233[0]: | crypto-js is a JavaScript library of crypto standards. Prior to | version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than | originally specified in 1993, and at least 1,300,000 times weaker | than current industry standard. This is because it both defaults to | SHA1, a cryptographic hash algorithm considered insecure since at | least 2005, and defaults to one single iteration, a 'strength' or | 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 | relies on iteration count as a countermeasure to preimage and | collision attacks. If used to protect passwords, the impact is high. | If used to generate signatures, the impact is high. Version 4.2.0 | contains a patch for this issue. As a workaround, configure crypto- | js to use SHA256 with at least 250,000 iterations. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46233 https://www.cve.org/CVERecord?id=CVE-2023-46233 [1] https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf [2] https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: cryptojs Source-Version: 3.1.2+dfsg-4 Done: Laszlo Boszormenyi (GCS) <g...@debian.org> We believe that the bug you reported is fixed in the latest version of cryptojs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1055...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated cryptojs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 16 Nov 2023 18:56:13 +0100 Source: cryptojs Architecture: source Version: 3.1.2+dfsg-4 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Closes: 1055525 Changes: cryptojs (3.1.2+dfsg-4) unstable; urgency=high . [ Yadd <y...@debian.org> ] * Change default hash algorithm and iteration's for PBKDF2 (closes: #1055525). . [ Laszlo Boszormenyi (GCS) ] * Update Standards-Version to 4.6.2 . Checksums-Sha1: 2f25f62dd855bc37b057e1f99b4f899dcdeb2889 1779 cryptojs_3.1.2+dfsg-4.dsc b2c95c76218597dbc0d2bcf6f449e50397e5a405 3928 cryptojs_3.1.2+dfsg-4.debian.tar.xz Checksums-Sha256: 6ccba40a8eaf14d7a36d79a83f3ed99d8e93e4a8928bef2be7ce65f17ec58f52 1779 cryptojs_3.1.2+dfsg-4.dsc 986e9d5acca1c5a566602f558046353b76eb466abcd409371ef127c116681a70 3928 cryptojs_3.1.2+dfsg-4.debian.tar.xz Files: 9b567cb9ef661dcb3b11e850396a6e64 1779 web optional cryptojs_3.1.2+dfsg-4.dsc daa97de1b178e98b7db4442d55b19761 3928 web optional cryptojs_3.1.2+dfsg-4.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmVWW+0ACgkQ3OMQ54ZM yL8vqRAAl5Nn6LTu/EMn+2oI82C0nRDOh2HU+sSEmLT3TELQ69uiqX6g+iURU9Hd etQu3mcmx81WS5rWXuuM66uXBzKcYPWsynVHC26pRC3weOVT5zCErt7hEVLClSrD 2xdGLfQ8REGDzVoLr7pGEvp7VUxYgfQvNtW+wAMoOYbslilk8aWz4rqhovx7O8IK a/GRTCDa5SGbBafbWCOSkYo/5vTq+Q9IQUF+zaQQuofqHY4GgHxiY1jM/3FuSPcs xb02ON5DaoL+wOxeMLhHF2t6k5MadXxRvWO0RuDWIol8QT45pqpo+7bGrXfNgwcI SuShG6VBDS+rxTljVONrRQy6/lNZq4R9dKC1sf5yJFbyprBzhVmm2Clnj8Z+VuhE ZAJKstQfYZomhxKyw5b9J4byQ4+v3wG+go3fAKGN0kZRkkrCDUadF13Ga3oDf3aC lSqyhj02yQiMTYLfetclCSWEjXg7Fnr/T02xXYAjLsNCCU2EJqUTYtdED8ZXQP1O AUGauKLuXJ3bRbJqQg7Ik+fCZwpoupV6lTBxTlU5fXEPd+3Emv0s+pD6F13FiBKV C39GMDuVNeEfeGZ2Ry8d0KA0KvwF9K/8E9tURl0c3rD/hmkcRflTipri773EkMB6 LUC7kqUORLY4B3sxUvriDMbO6VVVnyQ14NdhInwGy+hhRm4hrRQ= =TglI -----END PGP SIGNATURE-----
--- End Message ---
