Roadicing

**Name of the Vulnerable Software and Affected Versions** Crypto++ (cryptopp) versions prior to 8.9.0 **Description** The issue allows attackers to cause a denial of service, specifically an infinite loop, through crafted DER public-key data associated with squared odd numbers. This can be achieved with numbers such as the square of 268995137513890432434389773128616504853. **Recommendations** For versions prior to 8.9.0, update to version 8.9.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ModularSquareRoot function in Crypto++ until a patch is applied. Avoid processing DER public-key data from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Crypto++ versions through 8.9.0 **Description** The issue is related to errors in resource management in the Crypto++ library, specifically in the gf2n.cpp file. It allows attackers to cause a denial of service, resulting in an application crash, via DER public-key data for an F(2^m) curve if the degree of each term in the polynomial is not strictly decreasing. This can be exploited by a remote attacker to disrupt service. **Recommendations** For Crypto++ versions through 8.9.0, update to a version that addresses the resource management errors in the gf2n.cpp file to prevent denial of service attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** browserify-sign versions prior to 4.2.2 **Description** The issue is related to an upper bound check problem in the `dsaVerify` function, which allows an attacker to construct signatures that can be successfully verified by any public key. This leads to a signature forgery attack. All places in the project that involve DSA verification of user-input signatures are affected by this issue. **Recommendations** To resolve the issue, update to version 4.2.2 or later. As a temporary workaround, consider disabling the `dsaVerify` function until a patch is available. Restrict access to areas of the project that involve DSA verification of user-input signatures to minimize the risk of exploitation. Avoid using the `dsaVerify` function in the affected API endpoints until the issue is resolved.