Debian alert DLA-4302-1 (node-sha.js) [LWN.net]

admin 






From:
 
rouca@debian.org




To:
 





Subject:
 
[SECURITY] [DLA 4302-1] node-sha.js security update




Date:
 
Tue, 16 Sep 2025 00:46:19 +0200




Message-ID:
 






—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA512


– ————————————————————————-

Debian LTS Advisory DLA-4302-1                debian-lts@lists.debian.org

www.debian.org/lts/security/                   Bastien Roucariès

September 16, 2025                            wiki.debian.org/LTS

– ————————————————————————-


Package        : node-sha.js

Version        : 2.4.11-2+deb11u1

CVE ID         : CVE-2025-9288

Debian Bug     : 1111769


node-sha.js a popular streamable SHA hashes implementation in pure javascript

was vulnerable.


An Improper Input Validation vulnerability in sha.js

allowed Input Data Manipulation. Missing input type checks can allow

types other than a well-formed Buffer or string, resulting in

invalid values, hanging and rewinding the hash state

(including turning a tagged hash into an untagged hash), or other

generally undefined behaviour.


For Debian 11 bullseye, this problem has been fixed in version

2.4.11-2+deb11u1.


We recommend that you upgrade your node-sha.js packages.


For the detailed security status of node-sha.js please refer to

its security tracker page at:

security-tracker.debian.org/tracker/node-sha.js


Further information about Debian LTS security advisories, how to apply

these updates to your system and frequently asked questions can be

found at: wiki.debian.org/LTS

—–BEGIN PGP SIGNATURE—–


iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmjIlzsACgkQADoaLapB

CF89fQ/9FAZB7EXSYExfH+0RHrz5d8oB5KAuLMHN0O2aGzuDVoqBJna94h/YuLTp

2Q3TAxDIQ/NAOSVp3xMzZD10HeYQnkOa+TCY/7u9/dn6VEtAh1g8wx9xFwaAgY95

P/iq4NSszHn8FdHg7kFk8dnFiI3rhcvep+rmuqIMG9MGfcWko5yXBFTHc+ulo1x/

6X4byNdXS7VYKLgfaZaqcG9GKa/AoduXZ5PTE0kKi0wTzghZNJKQ8TmBwWPfGefn

55EgtLGQ3OI6RjlUUu2nBNMNP/Uo3Pyx/LgFEhC1BOLWGMj0rjb8wA0bZY3FD3sV

8aQ5NHDxgbSnTV+VgxLKYqCtNVq5KXyhW95/dmulSf+l3Q3IAJ3Ol5PWTOSGLQzV

X/CFHLL56p/l4L7KvHUIDdh2RNkvImkpsIRxHYjVy2B0Ql9W7IHZSnLW5x9o1OMm

maamesfXh00JJ1hUOfIuW9bPMXkukVjnmteUF1YRKrAGnZDCoGEuGRMdXD8JYgCT

SV/2p4z5+phx2KTT8hff2g1WDEjcfiU8Um4UaEXg/p/I7Cf5LwXHFDSMdWdL272C

a92j0I0zyA9R1DIWH4SyuTeZ80DTijTqRM+kyjdZHHwU86L5OvVqEZW056Way7In

u6YbRhgDFfW1bNcK5ZUdumGJk6Wge8lUa4MaP2DhhCXzUCbPQJY=

=O9Bi

—–END PGP SIGNATURE—–



            


Read more here: Source link