On 8/21/25 20:56, Salvatore Bonaccorso wrote:
Source: node-sha.js
Version: 2.4.11+~2.4.0-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/browserify/sha.js/pull/78
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-sha.js.
CVE-2025-9288[0]:
| Improper Input Validation vulnerability in sha.js allows Input Data
| Manipulation.This issue affects sha.js: through 2.4.11.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-9288
https://www.cve.org/CVERecord?id=CVE-2025-9288
[1] https://github.com/browserify/sha.js/pull/78
[2] https://github.com/browserify/sha.js/security/advisories/GHSA-95m3-7q98-8xr5
[3]
https://github.com/browserify/sha.js/commit/f2a258e9f2d0fcd113bfbaa49706e1ac0d979ba5
Regards,
Salvatore
Hi,
the fix requires a new module node-to-buffer:
$ pkgjs-depends sha.js
# [email protected] (node-sha.js)
# 5 missing npm module(s)
DEPENDENCIES:
node-deep-equal (get-intrinsic, is-typed-array)
node-function-bind (function-bind)
node-inherits (inherits)
node-isarray (isarray)
node-safe-buffer (safe-buffer)
MISSING:
[email protected]
└── to-buffer (1.2.1)
└── typed-array-buffer (1.0.3)
└── call-bound (1.0.4)
└── call-bind-apply-helpers (1.0.2)
└── es-errors (1.3.0)
└── (^) es-errors (1.3.0)
i can push this new module (with its deps as uscan-components) in new
queue. Maybe embed all in node-sha.js package for Trixie/Bookworm ?
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
