From: Raspbian automatic forward porter Date: Tue, 19 May 2026 00:07:39 +0000 (+0100) Subject: Merge version 18.20.4+dfsg-1~deb12u1+rpi1 and 18.20.4+dfsg-1~deb12u2 to produce 18... X-Git-Tag: archive/raspbian/18.20.4+dfsg-1_deb12u2+rpi1^0 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=9be5b73c27496e99b753dfbb227c39de3afbf6b2;p=nodejs.git Merge version 18.20.4+dfsg-1~deb12u1+rpi1 and 18.20.4+dfsg-1~deb12u2 to produce 18.20.4+dfsg-1~deb12u2+rpi1 --- 9be5b73c27496e99b753dfbb227c39de3afbf6b2 diff --cc debian/changelog index f07de28df,2a30060de..37ff39758 --- a/debian/changelog +++ b/debian/changelog @@@ -1,11 -1,89 +1,98 @@@ - nodejs (18.20.4+dfsg-1~deb12u1+rpi1) bookworm-staging; urgency=medium ++nodejs (18.20.4+dfsg-1~deb12u2+rpi1) bookworm-staging; urgency=medium + + [changes brought forward from 18.10.0+dfsg-6+rpi1 by Peter Michael Green at Tue, 15 Nov 2022 03:51:54 +0000] + * Set --with-arm-version=6 on raspbian. + * Use armv6k CFLAGS on raspbian. + * Disable testsuite. + - -- Raspbian forward porter Thu, 04 Sep 2025 12:35:35 +0000 ++ -- Raspbian forward porter Tue, 19 May 2026 00:07:39 +0000 ++ + nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium + + * Team upload + * Fix CVE-2025-23085: + A memory leak could occur when a remote peer abruptly closes + the socket without sending a GOAWAY notification. Additionally, + if an invalid header was detected by nghttp2, causing the + connection to be terminated by the peer, the same leak was + triggered. This flaw could lead to increased memory consumption + and potential denial of service under certain conditions + (Closes: #1094134) + * Fix CVE-2025-23166: + The C++ method SignTraits::DeriveBits() may incorrectly call + ThrowException() based on user-supplied inputs when executing + in a background thread, crashing the Node.js process. + Such cryptographic operations are commonly applied to + untrusted inputs. Thus, this mechanism potentially allows + an adversary to remotely crash a Node.js runtime. + (Closes: #1105832) + * Fix CVE-2025-55131: + A flaw in Node.js's buffer allocation logic can expose uninitialized + memory when allocations are interrupted, when using the `vm` module + with the timeout option. Under specific timing conditions, buffers + allocated with `Buffer.alloc` and other `TypedArray` instances like + `Uint8Array` may contain leftover data from previous operations, + allowing in-process secrets like tokens or passwords to leak or + causing data corruption. While exploitation typically requires precise + timing or in-process code execution, it can become remotely + exploitable when untrusted input influences workload and timeouts, + leading to potential confidentiality and integrity impact. + * Fix CVE-2025-59465: + A malformed `HTTP/2 HEADERS` frame with oversized, invalid + `HPACK` data can cause Node.js to crash by triggering an + unhandled `TLSSocket` error `ECONNRESET`. Instead of safely + closing the connection, the process crashes, enabling a remote + denial of service. This primarily affects applications that + do not attach explicit error handlers to secure sockets, + for example: ``` server.on('secureConnection', socket => + { socket.on('error', err => { console.log(err) }) }) ``` + * Fix CVE-2025-59466: + async_hooks would cause stack overflow + exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) + instead of being catchable. + When a stack overflow exception occurs during async_hooks callbacks + (which use TryCatchScope::kFatal), detect the specific "Maximum call + stack size exceeded" RangeError and re-throw it instead of immediately + calling FatalException. This allows user code to catch the exception + with try-catch blocks instead of requiring uncaughtException handlers. + * Fix CVE-2025-23166: + A flaw in Node.js TLS error handling allows remote attackers to crash + or exhaust resources of a TLS server when `pskCallback` or + `ALPNCallback` are in use. Synchronous exceptions thrown during these + callbacks bypass standard TLS error handling paths (tlsClientError and + error), causing either immediate process termination or silent file + descriptor leaks that eventually lead to denial of service. Because + these callbacks process attacker-controlled input during the TLS + handshake, a remote client can repeatedly trigger the issue. This + vulnerability affects TLS servers using PSK or ALPN callbacks across. + * Fix CVE-2026-21710: + A flaw in Node.js HTTP request handling causes an uncaught `TypeError` + when a request is received with a header named `__proto__` and the + application accesses `req.headersDistinct`. When this occurs, + `dest["__proto__"]` resolves to `Object.prototype` rather than + `undefined`, causing `.push()` to be called on a non-array. This + exception is thrown synchronously inside a property getter and cannot + be intercepted by `error` event listeners, meaning it cannot be + handled without wrapping every `req.headersDistinct` access in a + `try/catch` + * Fix CVE-2026-21713: + A flaw in Node.js HMAC verification uses a non-constant-time + comparison when validating user-provided signatures, potentially + leaking timing information proportional to the number of matching + bytes. Under certain threat models where high-resolution timing + measurements are possible, this behavior could be exploited as a + timing oracle to infer HMAC values. Node.js already provides + timing-safe comparison primitives used elsewhere in the codebase, + indicating this is an oversight rather than an intentional design + decision. + * Fix CVE-2026-21714: + A memory leak occurs in Node.js HTTP/2 servers when a client sends + WINDOW_UPDATE frames on stream 0 (connection-level) that cause the + flow control window to exceed the maximum value of 2³¹-1. The server + correctly sends a GOAWAY frame, but the Http2Session object is never + cleaned up. + + -- Bastien Roucariès Mon, 06 Apr 2026 16:18:52 +0200 nodejs (18.20.4+dfsg-1~deb12u1) bookworm-security; urgency=medium