[PATCH] lib,permission: require full read and write to symlink APIs

Refs: https://hackerone.com/reports/3417819
PR-URL: https://github.com/nodejs-private/node-private/pull/760
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2025-55130
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 36-lib-permission-require-full-read-and-write-to-symlink-apis.patch

[PATCH] lib: disable futimes when permission model is enabled

Refs: https://hackerone.com/reports/3390084
PR-URL: https://github.com/nodejs-private/node-private/pull/748
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-55132
PR-URL: https://github.com/nodejs-private/node-private/pull/802
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2025-55132

Gbp-Pq: Topic sec
Gbp-Pq: Name 35-lib-disable-futimes-when-permission-model-is-enabled.patch

[PATCH] lib: add TLSSocket default error handler

This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
```

PR-URL: https://github.com/nodejs-private/node-private/pull/797
Fixes: https://github.com/nodejs/node/issues/44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465

Gbp-Pq: Topic sec
Gbp-Pq: Name 34-lib-add-tlssocket-default-error-handler.patch

[PATCH] tls: route callback exceptions through error handlers

Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: https://github.com/nodejs-private/node-private/pull/782
PR-URL: https://github.com/nodejs-private/node-private/pull/796
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2026-21637

Gbp-Pq: Topic sec
Gbp-Pq: Name 33-tls-route-callback-exceptions-through-error-handlers.patch

[PATCH] src: fix order of CHECK_NOT_NULL/dereference

`ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS` may dereference
`req_wrap_async`, so `CHECK_NOT_NULL(req_wrap_async)` should be used
before and not after.

PR-URL: https://github.com/nodejs/node/pull/59487
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 29-fix-order-of-check-not-null.patch

[PATCH] http2: do not crash on mismatched ping buffer length

PR-URL: https://github.com/nodejs/node/pull/60135
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 28-http2-do-not-crash-on-mismatched-ping-buffer-length.patch

[PATCH] deps: V8: cherry-pick 6b1b9bca2a8

Origin commit message:

    [loong64][codegen] Avoid memory access under stack pointer

    According to LoongArch ABI doc chapter 8.2:
      "Procedures must not assume the persistence on-stack data of which
       the addresses lie below the stack pointer."

    Change-Id: I92735e052227495ac9884c4290b57eaffbf905e1
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6786372
    Auto-Submit: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
    Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#101634}

Backport-PR-URL: https://github.com/nodejs/node/pull/59662
Refs: https://github.com/v8/v8/commit/6b1b9bca2a8fe9824bcc815a9ce642da904b91c3
PR-URL: https://github.com/nodejs/node/pull/59283
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 27-v8-loong64-avoid-memory-access-under-stack-pointer.patch

[PATCH] v8: fix missing callback in heap utils destroy

This fixes the v8.getHeapSnapshot() calls not properly being
destroyed. Pipeline calls would for example not properly end
without the callback being in place.

PR-URL: https://github.com/nodejs/node/pull/58846
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Shelley Vohr <shelley.vohr@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 19-v8-fix-missing-callback-in-heap-utils-destroy.patch

[PATCH] src: fix possible dereference of null pointer

There is a CHECK_NOT_NULL check before dereferencing node_env on
line 710 in the "if" block, but there is no CHECK_NOT_NULL check before
dereferencing node_env on line 721. Maybe it makes sense to put
CHECK_NOT_NULL right after calling the Environment::GetCurrent function.

PR-URL: https://github.com/nodejs/node/pull/58459
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 17-fix-possible-dereference-of-null-pointer.patch

[PATCH] os: fix GetInterfaceAddresses memory lieaky

PR-URL: https://github.com/nodejs/node/pull/58940
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 15-fix-os-getinterface-addresses-leak.patch

[PATCH] http2: fix check for `frame->hd.type`

Related to CVE-2025-23085
According to the comment, this should be checking whether
`frame->hd.type` is `NGHTTP2_GOAWAY`, i.e. `0x07` and not `0x03`.

PR-URL: https://github.com/nodejs/node/pull/57644
Refs: https://github.com/nodejs/node/commit/1b693fa03a0d36bc1dc9ec8d95060e3e5ceeee7b
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 12-http2-fix-check-for-frame-type-goaway.patch

[PATCH] zlib: fix pointer alignment

The function AllocForBrotli prefixes the allocated memory with its
size, and returns a pointer to the region after it. This pointer can
however no longer be suitably aligned. Correct this by allocating
the maximum of the the size of the size_t and the max alignment.

On Arm 32bits the size_t is 4 bytes long, but the alignment is 8 for
some NEON instructions. When Brotli is compiled with optimizations
enabled newer GCC versions will use the NEON instructions and trigger
a bus error killing node.

see https://github.com/google/brotli/issues/1159

PR-URL: https://github.com/nodejs/node/pull/57727
Reviewed-By: Shelley Vohr <shelley.vohr@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Daniel Lemire <daniel@lemire.me>
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Gbp-Pq: Topic sec
Gbp-Pq: Name 10-zlib-fix-pointer-alignment.patch

skip useless files in build target

Forwarded: https://github.com/nodejs/node/issues/55787

Gbp-Pq: Topic build
Gbp-Pq: Name no-deps.patch

compile v8 without zlib static lib

Last-Update: 2023-12-16
Forwarded: https://github.com/nodejs/node/issues/33848

it should have a minor performance impact

Gbp-Pq: Topic deps
Gbp-Pq: Name v8-no-static-zlib.patch

build using ada upstream tarball component

Last-Update: 2023-11-30
Forwarded: not-needed

Gbp-Pq: Topic build
Gbp-Pq: Name ada.patch

Harmonize V8 stack sizes on ARM architectures to match almost all other architectures

Last-Update: 2023-02-28
Forwarded: https://github.com/nodejs/node/issues/41163

Gbp-Pq: Topic arm64
Gbp-Pq: Name stacksize.patch

Use system paths for builtins

Last-Update: 2023-02-22
Forwarded: not-needed

Gbp-Pq: Topic build
Gbp-Pq: Name test_process_versions.patch

fix link to home in html api

Forwarded: not needed, in conflict with the meaning of home page
Last-Update: 2022-11-06

Gbp-Pq: Topic build
Gbp-Pq: Name doc_template_home.html

allow vfp2 and allow setting arm_version option

Last-Update: 2022-08-29
Forwarded: https://github.com/nodejs/node/issues/44357

Gbp-Pq: Topic armel
Gbp-Pq: Name configure.patch

skip buffer NaN internal representation check this fails on whatever archs having other internal representations of NaN.

Last-Update: 2022-05-02
Forwarded: https://github.com/nodejs/node/issues/42945

Gbp-Pq: Topic build
Gbp-Pq: Name skip-buffer-nan-internal-check.patch

remove google font from template.html, and link to local

Last-Update: 2015-09-09
Forwarded: not-needed

Gbp-Pq: Topic dfsg
Gbp-Pq: Name privacy_breach.patch

Multiarch search path, arch triplet, DFHS path for modules

Last-Update: 2018-09-30
Last-Update: 2020-03-04
Forwarded: https://github.com/nodejs/node/issues/22745
Reviewed-By: Xavier Guimard <yadd@debian.org>
Gbp-Pq: Topic dfsg
Gbp-Pq: Name multilib_modules.patch

a test uses a benchmark that read alice.html, dfsg excluded

Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2020-03-04

Gbp-Pq: Topic dfsg
Gbp-Pq: Name benchmark_without_alice.patch

use system-installed node-gyp for building test modules

Last-Update: 2015-09-09
Forwarded: not-needed

Gbp-Pq: Topic deps
Gbp-Pq: Name node_gyp.patch

do not use dns.ADDRCONFIG for localhost

Last-Update: 2020-06-11
Bug-Debian: https://bugs.debian.org/962318
Forwarded: https://github.com/nodejs/node/issues/33816

it fails on IPv6-only systems. Setting it with libc fails on linux.
https://github.com/nodejs/node/issues/33279
https://lists.debian.org/debian-devel/2023/12/msg00011.html

Gbp-Pq: Topic deps
Gbp-Pq: Name localhost-no-addrconfig.patch

keep nodejs compatible with libc-ares public headers

Forwarded: not-needed
Last-Update: 2021-10-20

Gbp-Pq: Topic deps
Gbp-Pq: Name cares.patch

adapt tools/test.py

Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2025-02-12

* log to stdout
* increase timeout multipliers
* rename --flaky-tests to --flaky-tests-mode and use --flaky-tests like --skip-tests

Gbp-Pq: Topic build
Gbp-Pq: Name test_ci.patch

Link to -latomic by default

Last-Update: 2019-10-25
Forwarded: not-needed
Bug: https://github.com/nodejs/node/pull/28532
Bug: https://github.com/nodejs/node/issues/30093

This avoids surprises on mips*el/ppc*el

Gbp-Pq: Topic build
Gbp-Pq: Name flag_atomic.patch

build doc using marked and js-yaml

Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2021-03-03

While waiting for unified/remarked/rehyped modules to be available in debian

Gbp-Pq: Topic build
Gbp-Pq: Name doc.patch

disable shared builtins when loading deps on demand

Last-Update: 2023-12-10
Forwarded: no, todo

This is to avoid preloading potentially missing files.

Gbp-Pq: Topic build
Gbp-Pq: Name builtins_module_paths_not_shareable.patch

add acorn, walk to shared builtins

Last-Update: 2022-09-28
Forwarded: https://github.com/nodejs/node/pull/44376

Gbp-Pq: Topic build
Gbp-Pq: Name more_shareable_builtins.patch

nodejs (20.19.2+dfsg-1+deb13u2) trixie-security; urgency=medium

  * Upstream security patches:
    + CVE-2026-21713: use timing-safe comparison in Web Cryptography HMAC
    + CVE-2026-21717: fix array index hash collision
    + CVE-2026-21710: http: use null prototype for headersDistinct/trailersDistinct
    + CVE-2026-21716: include permission check on lib/fs/promises
    + CVE-2026-21715: add permission check to realpath.native
    + CVE-2026-21714: handle NGHTTP2_ERR_FLOW_CONTROL error code
    + CVE-2026-21637: tls wrap SNICallback invocation in try/catch
  * copyright: add rapidhash from sec/51 patch

[dgit import unpatched nodejs 20.19.2+dfsg-1+deb13u2]

Import nodejs_20.19.2+dfsg-1+deb13u2.debian.tar.xz

[dgit import tarball nodejs 20.19.2+dfsg-1+deb13u2 nodejs_20.19.2+dfsg-1+deb13u2.debian.tar.xz]

Import nodejs_20.19.2+dfsg.orig.tar.xz

[dgit import orig nodejs_20.19.2+dfsg.orig.tar.xz]

Import nodejs_20.19.2+dfsg.orig-ada.tar.xz

[dgit import orig nodejs_20.19.2+dfsg.orig-ada.tar.xz]

Import nodejs_20.19.2+dfsg.orig-types-node.tar.xz

[dgit import orig nodejs_20.19.2+dfsg.orig-types-node.tar.xz]