From: Raspbian automatic forward porter Date: Thu, 19 Mar 2026 14:04:44 +0000 (+0000) Subject: Merge version 20.19.2+dfsg-1+rpi1 and 20.19.2+dfsg-1+deb13u1 to produce 20.19.2+dfsg... X-Git-Tag: archive/raspbian/20.19.2+dfsg-1+rpi1+deb13u1^0 X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/%22mailto:kde%40ewsoftware.de//%22style.css/%22/%22http:/www.example.com/%22mailto:kde%40ewsoftware.de/%22style.css/%22?a=commitdiff_plain;h=1227c13e0197f564e3ce89b83f33726714f0e4c4;p=nodejs.git Merge version 20.19.2+dfsg-1+rpi1 and 20.19.2+dfsg-1+deb13u1 to produce 20.19.2+dfsg-1+rpi1+deb13u1 --- 1227c13e0197f564e3ce89b83f33726714f0e4c4 diff --cc debian/changelog index 1ff99699a,df7771894..36ebd08be --- a/debian/changelog +++ b/debian/changelog @@@ -1,11 -1,33 +1,42 @@@ - nodejs (20.19.2+dfsg-1+rpi1) trixie-staging; urgency=medium ++nodejs (20.19.2+dfsg-1+rpi1+deb13u1) trixie-staging; urgency=medium + + [changes brought forward from 18.10.0+dfsg-6+rpi1 by Peter Michael Green at Tue, 15 Nov 2022 03:51:54 +0000] + * Set --with-arm-version=6 on raspbian. + * Use armv6k CFLAGS on raspbian. + * Disable testsuite. + - -- Raspbian forward porter Fri, 06 Jun 2025 06:09:46 +0000 ++ -- Raspbian forward porter Thu, 19 Mar 2026 14:04:43 +0000 ++ + nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium + + * Upstream security patches: + + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY + + CVE-2026-21637: TLS error handling allows remote attackers to + crash or exhaust resources of a TLS server when `pskCallback` + or `ALPNCallback` are in use. + + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized + invalid `HPACK` data can cause a crash. + + CVE-2025-55132: permission model allows a file's access and + modification timestamps to be changed via `futimes()` even when + the process has only read permissions. + + CVE-2025-55130: permissions model allows attackers to bypass + `--allow-fs-read` and `--allow-fs-write` restrictions using + crafted relative symlink paths. + + CVE-2025-59466: "Maximum call stack size exceeded" errors become + uncatchable when `async_hooks.createHook()` is enabled. + + CVE-2025-55131: buffer allocation logic can expose uninitialized + memory when allocations are interrupted, when using the `vm` module + with the timeout option. + * Upstream critical fixes (see sec/NN patches) + + zlib: fix pointer alignment (10) + + os: fix GetInterfaceAddresses memory leak (15) + + src: fix possible dereference of null pointers (17, 29) + + v8: fix missing callback in heap utils destroy (19) + + v8: loong64 - avoid memory access under stack pointer (27) + + http2: do not crash on mismatched ping buffer length (28) + + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44) + + -- Jérémy Lal Thu, 05 Mar 2026 11:05:11 +0100 nodejs (20.19.2+dfsg-1) unstable; urgency=medium