browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2. https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30
Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2246628] Created mozjs78 tracking bugs for this issue: Affects: fedora-all [bug 2246631] Created seamonkey tracking bugs for this issue: Affects: epel-all [bug 2246629] Affects: fedora-all [bug 2246632] Created yarnpkg tracking bugs for this issue: Affects: epel-all [bug 2246630] Affects: fedora-all [bug 2246633]
This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.9 Via RHSA-2023:6180 https://access.redhat.com/errata/RHSA-2023:6180