From: Raspbian automatic forward porter Date: Thu, 4 Sep 2025 12:35:36 +0000 (+0100) Subject: Merge version 18.19.0+dfsg-6~deb12u2+rpi1 and 18.20.4+dfsg-1~deb12u1 to produce 18... X-Git-Tag: archive/raspbian/18.20.4+dfsg-1_deb12u1+rpi1^0 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=665fa233226fbf44b76fd5b4b0ef5f9c3b1345d6;p=nodejs.git Merge version 18.19.0+dfsg-6~deb12u2+rpi1 and 18.20.4+dfsg-1~deb12u1 to produce 18.20.4+dfsg-1~deb12u1+rpi1 --- 665fa233226fbf44b76fd5b4b0ef5f9c3b1345d6 diff --cc debian/changelog index 1f21ef5fe,d35c931d1..f07de28df --- a/debian/changelog +++ b/debian/changelog @@@ -1,11 -1,27 +1,36 @@@ - nodejs (18.19.0+dfsg-6~deb12u2+rpi1) bookworm-staging; urgency=medium ++nodejs (18.20.4+dfsg-1~deb12u1+rpi1) bookworm-staging; urgency=medium + + [changes brought forward from 18.10.0+dfsg-6+rpi1 by Peter Michael Green at Tue, 15 Nov 2022 03:51:54 +0000] + * Set --with-arm-version=6 on raspbian. + * Use armv6k CFLAGS on raspbian. + * Disable testsuite. + - -- Raspbian forward porter Mon, 01 Jul 2024 11:34:30 +0000 ++ -- Raspbian forward porter Thu, 04 Sep 2025 12:35:35 +0000 ++ + nodejs (18.20.4+dfsg-1~deb12u1) bookworm-security; urgency=medium + + * New upstream version 18.20.4+dfsg. Closes: #1074047. + * M.U.T.: bump ada to 2.7.8, keep node-types to 18.18.14 + for compatibility with other packages. + * test-runner-output is flaky on slow platforms + * Disable test-cluster-primary-* flaky/hanging tests. + * Fix test failing with openssl 3.0.14. Closes: #1086652. + * CVE-2024-22020: Bypass network import restriction via data URL (Medium) + * CVE-2024-36138: Bypass incomplete fix of CVE-2024-27980 (High) + * CVE-2024-27983: Assertion failed in node::http2::Http2Session::~Http2Session() + leads to HTTP/2 server crash (High) + * CVE-2024-27982: HTTP Request Smuggling via Content Length Obfuscation (Medium) + * CVE-2024-22025: Denial of Service by resource exhaustion in fetch() + brotli decoding (Medium) + * CVE-2024-21892: Code injection and privilege escalation + through Linux capabilities (High) + * CVE-2024-22019: Reading unprocessed HTTP request with + unbounded chunk extension allows DoS attacks (High) + * CVE-2023-46809: Node.js is vulnerable to the Marvin Attack (Medium) + * Static link on 32bits architecture libuv. Closes: #922075, #1076350. + Thanks to Bastien Roucariès. + + -- Jérémy Lal Tue, 09 Jul 2024 17:36:33 +0200 nodejs (18.19.0+dfsg-6~deb12u2) bookworm; urgency=medium