Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.changes > #13784
| From | Debian FTP Masters <ftpmaster@ftp-master.debian.org> |
|---|---|
| Newsgroups | linux.debian.changes |
| Subject | Accepted nodejs 18.20.4+dfsg-1~deb12u2 (source) into oldstable-proposed-updates |
| Date | 2026-05-17 01:50 +0200 |
| Message-ID | <MVwVz-5Gkx-3@gated-at.bofh.it> (permalink) |
| Organization | linux.* mail to news gateway |
[Multipart message — attachments visible in raw view] - view raw
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Apr 2026 16:18:52 +0200
Source: nodejs
Architecture: source
Version: 18.20.4+dfsg-1~deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1094134 1105832
Changes:
nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium
.
* Team upload
* Fix CVE-2025-23085:
A memory leak could occur when a remote peer abruptly closes
the socket without sending a GOAWAY notification. Additionally,
if an invalid header was detected by nghttp2, causing the
connection to be terminated by the peer, the same leak was
triggered. This flaw could lead to increased memory consumption
and potential denial of service under certain conditions
(Closes: #1094134)
* Fix CVE-2025-23166:
The C++ method SignTraits::DeriveBits() may incorrectly call
ThrowException() based on user-supplied inputs when executing
in a background thread, crashing the Node.js process.
Such cryptographic operations are commonly applied to
untrusted inputs. Thus, this mechanism potentially allows
an adversary to remotely crash a Node.js runtime.
(Closes: #1105832)
* Fix CVE-2025-55131:
A flaw in Node.js's buffer allocation logic can expose uninitialized
memory when allocations are interrupted, when using the `vm` module
with the timeout option. Under specific timing conditions, buffers
allocated with `Buffer.alloc` and other `TypedArray` instances like
`Uint8Array` may contain leftover data from previous operations,
allowing in-process secrets like tokens or passwords to leak or
causing data corruption. While exploitation typically requires precise
timing or in-process code execution, it can become remotely
exploitable when untrusted input influences workload and timeouts,
leading to potential confidentiality and integrity impact.
* Fix CVE-2025-59465:
A malformed `HTTP/2 HEADERS` frame with oversized, invalid
`HPACK` data can cause Node.js to crash by triggering an
unhandled `TLSSocket` error `ECONNRESET`. Instead of safely
closing the connection, the process crashes, enabling a remote
denial of service. This primarily affects applications that
do not attach explicit error handlers to secure sockets,
for example: ``` server.on('secureConnection', socket =>
{ socket.on('error', err => { console.log(err) }) }) ```
* Fix CVE-2025-59466:
async_hooks would cause stack overflow
exceptions to exit with code 7 (kExceptionInFatalExceptionHandler)
instead of being catchable.
When a stack overflow exception occurs during async_hooks callbacks
(which use TryCatchScope::kFatal), detect the specific "Maximum call
stack size exceeded" RangeError and re-throw it instead of immediately
calling FatalException. This allows user code to catch the exception
with try-catch blocks instead of requiring uncaughtException handlers.
* Fix CVE-2025-23166:
A flaw in Node.js TLS error handling allows remote attackers to crash
or exhaust resources of a TLS server when `pskCallback` or
`ALPNCallback` are in use. Synchronous exceptions thrown during these
callbacks bypass standard TLS error handling paths (tlsClientError and
error), causing either immediate process termination or silent file
descriptor leaks that eventually lead to denial of service. Because
these callbacks process attacker-controlled input during the TLS
handshake, a remote client can repeatedly trigger the issue. This
vulnerability affects TLS servers using PSK or ALPN callbacks across.
* Fix CVE-2026-21710:
A flaw in Node.js HTTP request handling causes an uncaught `TypeError`
when a request is received with a header named `__proto__` and the
application accesses `req.headersDistinct`. When this occurs,
`dest["__proto__"]` resolves to `Object.prototype` rather than
`undefined`, causing `.push()` to be called on a non-array. This
exception is thrown synchronously inside a property getter and cannot
be intercepted by `error` event listeners, meaning it cannot be
handled without wrapping every `req.headersDistinct` access in a
`try/catch`
* Fix CVE-2026-21713:
A flaw in Node.js HMAC verification uses a non-constant-time
comparison when validating user-provided signatures, potentially
leaking timing information proportional to the number of matching
bytes. Under certain threat models where high-resolution timing
measurements are possible, this behavior could be exploited as a
timing oracle to infer HMAC values. Node.js already provides
timing-safe comparison primitives used elsewhere in the codebase,
indicating this is an oversight rather than an intentional design
decision.
* Fix CVE-2026-21714:
A memory leak occurs in Node.js HTTP/2 servers when a client sends
WINDOW_UPDATE frames on stream 0 (connection-level) that cause the
flow control window to exceed the maximum value of 2³¹-1. The server
correctly sends a GOAWAY frame, but the Http2Session object is never
cleaned up.
Checksums-Sha1:
ece51c59189c96c9a103c057926a777750b597a1 4334 nodejs_18.20.4+dfsg-1~deb12u2.dsc
4e580579ef4a73cf6ab060c74433501f292c18d3 272924 nodejs_18.20.4+dfsg.orig-ada.tar.xz
4cad22f4545483163b468271d06f425b15f1dcf0 267236 nodejs_18.20.4+dfsg.orig-types-node.tar.xz
a0c8b9acf0982e9010edb24542aa83d55e65fbde 29390728 nodejs_18.20.4+dfsg.orig.tar.xz
ca0d9b1dfb6465246eead185537072466a17019a 189708 nodejs_18.20.4+dfsg-1~deb12u2.debian.tar.xz
073a5d24bdb11b1a8b9f40cb5aa9bfa6c879827e 9612 nodejs_18.20.4+dfsg-1~deb12u2_source.buildinfo
Checksums-Sha256:
11573b64900df22b3e009a0fbe6bd2746e11946cd61a64aa61284cbc6ea1eee4 4334 nodejs_18.20.4+dfsg-1~deb12u2.dsc
b58fd8b7ef61255b66d42b66e32e74ccdde61c4e02facd6b5a566618e32e993e 272924 nodejs_18.20.4+dfsg.orig-ada.tar.xz
5bd8293f0adfb7bc744e3071bdbd184fd02f973931396ba816ff61514ecd62a9 267236 nodejs_18.20.4+dfsg.orig-types-node.tar.xz
6ce58062c71eae37d9c5ac31eeaeff9c2d48561d21c2849179d056c9c1bd9ebc 29390728 nodejs_18.20.4+dfsg.orig.tar.xz
9740da86ce7f8c554b7e71308df9903834c2aaadca01c76ac49d0b895f2afa52 189708 nodejs_18.20.4+dfsg-1~deb12u2.debian.tar.xz
ccb9340c1bb3496b1d0626f98dae1052bfbada77488a4bd7af3be7384b438589 9612 nodejs_18.20.4+dfsg-1~deb12u2_source.buildinfo
Files:
773aaceaed6a7e8de5716a4f94a0c0ff 4334 javascript optional nodejs_18.20.4+dfsg-1~deb12u2.dsc
774dbd4a3931a17737b3c27a7a67d587 272924 javascript optional nodejs_18.20.4+dfsg.orig-ada.tar.xz
8cabd2aa436c05f698a17368826a8645 267236 javascript optional nodejs_18.20.4+dfsg.orig-types-node.tar.xz
157a1ca8a7c3ca2465402e0326511581 29390728 javascript optional nodejs_18.20.4+dfsg.orig.tar.xz
5735c474d564398ac94ceb28579e3af6 189708 javascript optional nodejs_18.20.4+dfsg-1~deb12u2.debian.tar.xz
6564ea3fabb24265dc9ca795dc2f9d0b 9612 javascript optional nodejs_18.20.4+dfsg-1~deb12u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmoAovQACgkQADoaLapB
CF8FCw//TYJ05ZUdCGOznDzI0byoaskDMjrq8hoQBqSmH+k8URUpBAzjoRIEv1Ix
dFjBnKs0z4Im1gSY9ye6bkVWV3vcYl8jzBadReYp8aLoX9vO1FKSF+0q0q+Gswdt
E9G3zA0gATEmS1esUespxkY+O1vmTLIDcGvuV4UQAYBn9t5fmAtDnlB2jAFpw0Xd
M8FC6FLTsvQ1Ab3SmdBEs6wMNYJd16fUDm9zL0j7FaSIpj0cqTzlGE+bNwMmLwEa
7b+pwJxuAONEi9eUTPpkbIA6WaqFTo70Ma4t1joy/By0/dy6SGYHGg56DKP0Dbfg
y+fAwnsxY1OfCOM14SZQA0JIbg6XQdT00JxynvZ58rA4ujYUFIadCcFKOYMc1qZ9
hZ7k+n4OfU4M6srFTFE1MuOpJZ1rhe1nVwC8C9EN53VcfWVfvST+wzD64n9lv88W
ZxxslVvLQhIZenK1feXUBz0VSn8jw/+fUXcHXzCbztoabnBK+GWBBfTIC/T8jNHq
DGM/Bfq14/T6o/cfxrJ/6g27eeEB2Uz+JDnZc+OXy/jE8DV3ysCtPAg2AgUSt8di
I7dVA2eXjGmHbl/1Evj+QRYYaeRIL7LCnC7OXoBZEhDW1R+mxeJiozcAbKLenoY6
Av/UIfD+lgeLbcApnQy9L33DRW3RM0yLIhCbFfWocmntd4u2gco=
=i6O1
-----END PGP SIGNATURE-----
Back to linux.debian.changes | Previous | Next | Find similar
Accepted nodejs 18.20.4+dfsg-1~deb12u2 (source) into oldstable-proposed-updates Debian FTP Masters <ftpmaster@ftp-master.debian.org> - 2026-05-17 01:50 +0200
csiph-web