-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4302-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès September 16, 2025 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : node-sha.js Version : 2.4.11-2+deb11u1 CVE ID : CVE-2025-9288 Debian Bug : 1111769 node-sha.js a popular streamable SHA hashes implementation in pure javascript was vulnerable. An Improper Input Validation vulnerability in sha.js allowed Input Data Manipulation. Missing input type checks can allow types other than a well-formed Buffer or string, resulting in invalid values, hanging and rewinding the hash state (including turning a tagged hash into an untagged hash), or other generally undefined behaviour. For Debian 11 bullseye, this problem has been fixed in version 2.4.11-2+deb11u1. We recommend that you upgrade your node-sha.js packages. For the detailed security status of node-sha.js please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-sha.js Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmjIlzsACgkQADoaLapB CF89fQ/9FAZB7EXSYExfH+0RHrz5d8oB5KAuLMHN0O2aGzuDVoqBJna94h/YuLTp 2Q3TAxDIQ/NAOSVp3xMzZD10HeYQnkOa+TCY/7u9/dn6VEtAh1g8wx9xFwaAgY95 P/iq4NSszHn8FdHg7kFk8dnFiI3rhcvep+rmuqIMG9MGfcWko5yXBFTHc+ulo1x/ 6X4byNdXS7VYKLgfaZaqcG9GKa/AoduXZ5PTE0kKi0wTzghZNJKQ8TmBwWPfGefn 55EgtLGQ3OI6RjlUUu2nBNMNP/Uo3Pyx/LgFEhC1BOLWGMj0rjb8wA0bZY3FD3sV 8aQ5NHDxgbSnTV+VgxLKYqCtNVq5KXyhW95/dmulSf+l3Q3IAJ3Ol5PWTOSGLQzV X/CFHLL56p/l4L7KvHUIDdh2RNkvImkpsIRxHYjVy2B0Ql9W7IHZSnLW5x9o1OMm maamesfXh00JJ1hUOfIuW9bPMXkukVjnmteUF1YRKrAGnZDCoGEuGRMdXD8JYgCT SV/2p4z5+phx2KTT8hff2g1WDEjcfiU8Um4UaEXg/p/I7Cf5LwXHFDSMdWdL272C a92j0I0zyA9R1DIWH4SyuTeZ80DTijTqRM+kyjdZHHwU86L5OvVqEZW056Way7In u6YbRhgDFfW1bNcK5ZUdumGJk6Wge8lUa4MaP2DhhCXzUCbPQJY= =O9Bi -----END PGP SIGNATURE-----
