[SECURITY] [DLA 4302-1] node-sha.js security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4302-1] node-sha.js security update
From: rouca@debian.org
Date: Tue, 16 Sep 2025 00:46:19 +0200
Message-id: <[🔎] cd907f3e8646c88b09bd2976263f2029@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4302-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
September 16, 2025                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : node-sha.js
Version        : 2.4.11-2+deb11u1
CVE ID         : CVE-2025-9288
Debian Bug     : 1111769

node-sha.js a popular streamable SHA hashes implementation in pure javascript
was vulnerable.

An Improper Input Validation vulnerability in sha.js
allowed Input Data Manipulation. Missing input type checks can allow
types other than a well-formed Buffer or string, resulting in
invalid values, hanging and rewinding the hash state
(including turning a tagged hash into an untagged hash), or other
generally undefined behaviour.

For Debian 11 bullseye, this problem has been fixed in version
2.4.11-2+deb11u1.

We recommend that you upgrade your node-sha.js packages.

For the detailed security status of node-sha.js please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-sha.js

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmjIlzsACgkQADoaLapB
CF89fQ/9FAZB7EXSYExfH+0RHrz5d8oB5KAuLMHN0O2aGzuDVoqBJna94h/YuLTp
2Q3TAxDIQ/NAOSVp3xMzZD10HeYQnkOa+TCY/7u9/dn6VEtAh1g8wx9xFwaAgY95
P/iq4NSszHn8FdHg7kFk8dnFiI3rhcvep+rmuqIMG9MGfcWko5yXBFTHc+ulo1x/
6X4byNdXS7VYKLgfaZaqcG9GKa/AoduXZ5PTE0kKi0wTzghZNJKQ8TmBwWPfGefn
55EgtLGQ3OI6RjlUUu2nBNMNP/Uo3Pyx/LgFEhC1BOLWGMj0rjb8wA0bZY3FD3sV
8aQ5NHDxgbSnTV+VgxLKYqCtNVq5KXyhW95/dmulSf+l3Q3IAJ3Ol5PWTOSGLQzV
X/CFHLL56p/l4L7KvHUIDdh2RNkvImkpsIRxHYjVy2B0Ql9W7IHZSnLW5x9o1OMm
maamesfXh00JJ1hUOfIuW9bPMXkukVjnmteUF1YRKrAGnZDCoGEuGRMdXD8JYgCT
SV/2p4z5+phx2KTT8hff2g1WDEjcfiU8Um4UaEXg/p/I7Cf5LwXHFDSMdWdL272C
a92j0I0zyA9R1DIWH4SyuTeZ80DTijTqRM+kyjdZHHwU86L5OvVqEZW056Way7In
u6YbRhgDFfW1bNcK5ZUdumGJk6Wge8lUa4MaP2DhhCXzUCbPQJY=
=O9Bi
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4300-1] shibboleth-sp security update
Next by Date: [SECURITY] [DLA 4301-1] python-django security update
Previous by thread: [SECURITY] [DLA 4300-1] shibboleth-sp security update
Next by thread: [SECURITY] [DLA 4301-1] python-django security update
Index(es):
- Date
- Thread