- nodejs (18.20.4+dfsg-1~deb12u1+rpi1) bookworm-staging; urgency=medium
++nodejs (18.20.4+dfsg-1~deb12u2+rpi1) bookworm-staging; urgency=medium
+
+ [changes brought forward from 18.10.0+dfsg-6+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Tue, 15 Nov 2022 03:51:54 +0000]
+ * Set --with-arm-version=6 on raspbian.
+ * Use armv6k CFLAGS on raspbian.
+ * Disable testsuite.
+
- -- Raspbian forward porter <root@raspbian.org> Thu, 04 Sep 2025 12:35:35 +0000
++ -- Raspbian forward porter <root@raspbian.org> Tue, 19 May 2026 00:07:39 +0000
++
+ nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium
+
+ * Team upload
+ * Fix CVE-2025-23085:
+ A memory leak could occur when a remote peer abruptly closes
+ the socket without sending a GOAWAY notification. Additionally,
+ if an invalid header was detected by nghttp2, causing the
+ connection to be terminated by the peer, the same leak was
+ triggered. This flaw could lead to increased memory consumption
+ and potential denial of service under certain conditions
+ (Closes: #1094134)
+ * Fix CVE-2025-23166:
+ The C++ method SignTraits::DeriveBits() may incorrectly call
+ ThrowException() based on user-supplied inputs when executing
+ in a background thread, crashing the Node.js process.
+ Such cryptographic operations are commonly applied to
+ untrusted inputs. Thus, this mechanism potentially allows
+ an adversary to remotely crash a Node.js runtime.
+ (Closes: #1105832)
+ * Fix CVE-2025-55131:
+ A flaw in Node.js's buffer allocation logic can expose uninitialized
+ memory when allocations are interrupted, when using the `vm` module
+ with the timeout option. Under specific timing conditions, buffers
+ allocated with `Buffer.alloc` and other `TypedArray` instances like
+ `Uint8Array` may contain leftover data from previous operations,
+ allowing in-process secrets like tokens or passwords to leak or
+ causing data corruption. While exploitation typically requires precise
+ timing or in-process code execution, it can become remotely
+ exploitable when untrusted input influences workload and timeouts,
+ leading to potential confidentiality and integrity impact.
+ * Fix CVE-2025-59465:
+ A malformed `HTTP/2 HEADERS` frame with oversized, invalid
+ `HPACK` data can cause Node.js to crash by triggering an
+ unhandled `TLSSocket` error `ECONNRESET`. Instead of safely
+ closing the connection, the process crashes, enabling a remote
+ denial of service. This primarily affects applications that
+ do not attach explicit error handlers to secure sockets,
+ for example: ``` server.on('secureConnection', socket =>
+ { socket.on('error', err => { console.log(err) }) }) ```
+ * Fix CVE-2025-59466:
+ async_hooks would cause stack overflow
+ exceptions to exit with code 7 (kExceptionInFatalExceptionHandler)
+ instead of being catchable.
+ When a stack overflow exception occurs during async_hooks callbacks
+ (which use TryCatchScope::kFatal), detect the specific "Maximum call
+ stack size exceeded" RangeError and re-throw it instead of immediately
+ calling FatalException. This allows user code to catch the exception
+ with try-catch blocks instead of requiring uncaughtException handlers.
+ * Fix CVE-2025-23166:
+ A flaw in Node.js TLS error handling allows remote attackers to crash
+ or exhaust resources of a TLS server when `pskCallback` or
+ `ALPNCallback` are in use. Synchronous exceptions thrown during these
+ callbacks bypass standard TLS error handling paths (tlsClientError and
+ error), causing either immediate process termination or silent file
+ descriptor leaks that eventually lead to denial of service. Because
+ these callbacks process attacker-controlled input during the TLS
+ handshake, a remote client can repeatedly trigger the issue. This
+ vulnerability affects TLS servers using PSK or ALPN callbacks across.
+ * Fix CVE-2026-21710:
+ A flaw in Node.js HTTP request handling causes an uncaught `TypeError`
+ when a request is received with a header named `__proto__` and the
+ application accesses `req.headersDistinct`. When this occurs,
+ `dest["__proto__"]` resolves to `Object.prototype` rather than
+ `undefined`, causing `.push()` to be called on a non-array. This
+ exception is thrown synchronously inside a property getter and cannot
+ be intercepted by `error` event listeners, meaning it cannot be
+ handled without wrapping every `req.headersDistinct` access in a
+ `try/catch`
+ * Fix CVE-2026-21713:
+ A flaw in Node.js HMAC verification uses a non-constant-time
+ comparison when validating user-provided signatures, potentially
+ leaking timing information proportional to the number of matching
+ bytes. Under certain threat models where high-resolution timing
+ measurements are possible, this behavior could be exploited as a
+ timing oracle to infer HMAC values. Node.js already provides
+ timing-safe comparison primitives used elsewhere in the codebase,
+ indicating this is an oversight rather than an intentional design
+ decision.
+ * Fix CVE-2026-21714:
+ A memory leak occurs in Node.js HTTP/2 servers when a client sends
+ WINDOW_UPDATE frames on stream 0 (connection-level) that cause the
+ flow control window to exceed the maximum value of 2³¹-1. The server
+ correctly sends a GOAWAY frame, but the Http2Session object is never
+ cleaned up.
+
+ -- Bastien Roucariès <rouca@debian.org> Mon, 06 Apr 2026 16:18:52 +0200
nodejs (18.20.4+dfsg-1~deb12u1) bookworm-security; urgency=medium
projects / nodejs.git / commitdiff