Two security updates have been issued for Debian GNU/Linux 11 (Bullseye) LTS. The first update addresses a potential SQL injection attack in the Django web development framework, which has been fixed in version 2:2.2.28-1~deb11u8. The second update fixes an improper input validation vulnerability in node-sha.js, a popular streamable SHA hashes implementation, which has been addressed in version 2.4.11-2+deb11u1.

[DLA 4301-1] python-django security update
[DLA 4302-1] node-sha.js security update

[SECURITY] [DLA 4301-1] python-django security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4301-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
September 15, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-django
Version : 2:2.2.28-1~deb11u8
CVE ID : CVE-2025-57833
Debian Bug : 1113865

It was discovered that there was a potential SQL injection attack in
Django, a popular Python-based web development framework.

Specifically, the FilteredRelation class was vulnerable to an SQL
injection through its use of column aliases. This could have been
exploited using a suitably crafted dictionary that was controlled by
an attacker, either with dictionary expansion via the **kwargs passed
to QuerySet.annotate() or by using QuerySet.alias() directly.

For Debian 11 bullseye, this problem has been fixed in version
2:2.2.28-1~deb11u8.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4302-1] node-sha.js security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4302-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
September 16, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : node-sha.js
Version : 2.4.11-2+deb11u1
CVE ID : CVE-2025-9288
Debian Bug : 1111769

node-sha.js a popular streamable SHA hashes implementation in pure javascript
was vulnerable.

An Improper Input Validation vulnerability in sha.js
allowed Input Data Manipulation. Missing input type checks can allow
types other than a well-formed Buffer or string, resulting in
invalid values, hanging and rewinding the hash state
(including turning a tagged hash into an untagged hash), or other
generally undefined behaviour.

For Debian 11 bullseye, this problem has been fixed in version
2.4.11-2+deb11u1.

We recommend that you upgrade your node-sha.js packages.

For the detailed security status of node-sha.js please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-sha.js

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS