|
|
Subscribe / Log in / New account

Ubuntu alert USN-7778-1 (node-sha.js)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-7778-1] sha.js vulnerability


Date:
              Thu, 25 Sep 2025 20:43:56 +0000


Message-ID:
              <E1v1som-0002hw-5S@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-7778-1
September 25, 2025

node-sha.js vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

sha.js could be made to consume resources or return incorrect hash
values if it received specially crafted input.

Software Description:
- node-sha.js: Streamable SHA hashes in pure javascript

Details:

Nikita Skovoroda discovered that sha.js did not properly handle
certain inputs. An attacker could possibly use this issue to manipulate
the internal state of hash functions, resulting in hash collisions,
denial of service, or other unspecified impact.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
  node-sha.js                     2.4.11+~2.4.0-2+deb13u1build0.25.04.1

Ubuntu 24.04 LTS
  node-sha.js                     2.4.11+~2.4.0-2+deb13u1build0.24.04.1

Ubuntu 22.04 LTS
  node-sha.js                     2.4.11+~2.4.0-1ubuntu0.1

Ubuntu 20.04 LTS
  node-sha.js                     2.4.11-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  node-sha.js                     2.4.9-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7778-1
  CVE-2025-9288

Package Information:
  https://launchpad.net/ubuntu/+source/node-sha.js/2.4.11+~...
  https://launchpad.net/ubuntu/+source/node-sha.js/2.4.11+~...
  https://launchpad.net/ubuntu/+source/node-sha.js/2.4.11+~...




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmjVp58ACgkQcpJm3tlz
hgHP8w/9G/Q35QyQABLc/uIs4I5UD8i34ZA2Gxvsirl0RU6G7EpCym5SGe0e9rYi
RS5oOBioWpafGaoDXeOQyYxbfJ5CeApnXxR+SMqHUKi62VvAP+kUbXK4ZnO9nM+Y
8oZaIIhADnTYo1Fz52423ZC1N4GqmIaWfI2ltnPDFymWN0SrIDSu3i12yLNMNzOU
RscC5gir4xGKgudv3+MWBfO+QbXxD+30rsp4ilG0TVB5IqA8ZoZyADBeql4S2wyq
4lPycjS9l93IkqyIBPpohy/3Q4goWNmbpyX+vqRQif06bE9z7xQoa7BQB+I/5t8R
pxUYYKeEkRlIflJv8yGj+ZB5bBIj6Pr4YB7NVd7mbWZR/DkcvoVPx7nfR/o1Y/yW
bTN+9buggEVZyKpi/GD2+jNilNoKPeYndRMaf2jnTCf1D10+Wah/x2ey72CTPsE1
cK62KiaTipTMe/zP5mP+DDt7i3IDDLe7LD4Fk+LDZAV8uufMzvUb6JC4auKnKX8g
xFhO+JAYSdhyOnIIaIBDqgqc2+jVTXlKLxfyEAwYH3dB8Rfcxb/KRJJiR+CeN2ls
7i7NrK0bElNzfSyiW2QQOqFG9iQK+4kMeenp+4K8tNWaVu67PKEcDiKCX7ZIT9gE
ZECpeuTsi0DS5oQfLpnz+iY0VR3haPpMSS30X958YvA+WPURzi4=
=LaaE
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds