dgit.raspbian.org Git - nodejs.git/log

Merge version 18.20.4+dfsg-1~deb12u1+rpi1 and 18.20.4+dfsg-1~deb12u2 to produce 18.20.4+dfsg-1~deb12u2+rpi1

Merge nodejs (18.20.4+dfsg-1~deb12u2) import into refs/heads/workingbranch

src: handle NGHTTP2_ERR_FLOW_CONTROL error code

Refs: https://hackerone.com/reports/3531737
PR-URL: https://github.com/nodejs-private/node-private/pull/832
CVE-ID: CVE-2026-21714
origin: https://github.com/nodejs/node/commit/a0c73425da4c95fbcf6c13b7fe8921301290b8e6

Gbp-Pq: Name CVE-2026-21714.patch

crypto: use timing-safe comparison in Web Cryptography HMAC

Use `CRYPTO_memcmp` instead of `memcmp` in `HMAC`
Web Cryptography algorithm implementations.

Ref: https://hackerone.com/reports/3533945
PR-URL: https://github.com/nodejs-private/node-private/pull/831
Refs: https://hackerone.com/reports/3533945
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
CVE-ID: CVE-2026-21713
origin: https://github.com/nodejs/node/commit/cfb51fa9ce1da2a8c810ec35bcc7c000f8c94fafy

Gbp-Pq: Name CVE-2026-21713.patch

http: use null prototype for headersDistinct/trailersDistinct

Use { __proto__: null } instead of {} when initializing the
headersDistinct and trailersDistinct destination objects.

A plain {} inherits from Object.prototype, so when a __proto__
header is received, dest["__proto__"] resolves to Object.prototype
(truthy), causing _addHeaderLineDistinct to call .push() on it,
which throws an uncaught TypeError and crashes the process.

Ref: https://hackerone.com/reports/3560402
PR-URL: https://github.com/nodejs-private/node-private/pull/821
Refs: https://hackerone.com/reports/3560402
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2026-21710
origin: https://github.com/nodejs/node/commit/00ad47a28eb2e3dc0ff5610d58c53341acf3cf8d

Gbp-Pq: Name CVE-2026-21710.patch

tls: wrap SNICallback invocation in try/catch

Wrap the owner._SNICallback() invocation in loadSNI() with try/catch
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This completes the fix from CVE-2026-21637
which added try/catch protection to callALPNCallback,
onPskServerCallback, and onPskClientCallback but missed loadSNI().

Without this fix, a remote unauthenticated attacker can crash any
Node.js TLS server whose SNICallback may throw on unexpected input
by sending a single TLS ClientHello with a crafted server_name value.

Fixes: https://hackerone.com/reports/3556769
Refs: https://hackerone.com/reports/3473882
CVE-ID: CVE-2026-21637
PR-URL: https://github.com/nodejs-private/node-private/pull/839
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2026-21637

origin: https://github.com/nodejs/node/commit/cc3f294507c715908b2b31a5301e295b3de04152

Gbp-Pq: Name CVE-2026-21637_post1.patch

tls: route callback exceptions through error handlers

Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: https://github.com/nodejs-private/node-private/pull/782
PR-URL: https://github.com/nodejs-private/node-private/pull/796
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2026-21637

origin: backport, https://github.com/nodejs/node/commit/85f73e7057e9badf6e7713f7440769375cdb5df5

Gbp-Pq: Name CVE-2026-21637.patch

src: fix error handling on async crypto operations

Fixes: https://hackerone.com/reports/2817648
Co-Authored-By: Filip Skokan <panva.ip@gmail.com>
Co-Authored-By: Tobias Nießen <tniessen@tnie.de>
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/688
CVE-ID: CVE-2025-23166
PR-URL: https://github.com/nodejs-private/node-private/pull/710

origin: backport, https://github.com/nodejs/node/commit/6c57465920cf1b981a63031e71b1e4a73bf9beaa

Gbp-Pq: Name CVE-2025-23166.patch

src: fix HTTP2 mem leak on premature close and ERR_PROTO

This commit fixes a memory leak when the socket is
suddenly closed by the peer (without GOAWAY notification)
and when invalid header (by nghttp2) is identified and the
connection is terminated by peer.

Refs: https://hackerone.com/reports/2841362
PR-URL: https://github.com/nodejs-private/node-private/pull/650
Reviewed-By: James M Snell <jasnell@gmail.com>
CVE-ID: CVE-2025-23085
origin: https://github.com/nodejs/node/commit/6cc8d58e6f97c37c228f134bd9b98246c8871fb1

Gbp-Pq: Name CVE-2025-23085.patch

src: rethrow stack overflow exceptions in async_hooks When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers.

The implementation adds IsStackOverflowError() helper to detect stack
overflow RangeErrors and re-throws them in TryCatchScope destructor
instead of calling FatalException.

This fixes the issue where async_hooks would cause stack overflow
exceptions to exit with code 7 (kExceptionInFatalExceptionHandler)
instead of being catchable.

Fixes: #37989
Ref: https://hackerone.com/reports/3456295
PR-URL: nodejs-private/node-private#773
Refs: https://hackerone.com/reports/3456295
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59466
origin: backport, https://github.com/nodejs/node/commit/d7a5c587c02ebe18f9fe4de986bac55d80c2868f
bug: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#uncatchable-maximum-call-stack-size-exceeded-error-on-nodejs-via-async_hooks-leads-to-process-crashes-bypassing-error-handlers-cve-2025-59466---medium

Gbp-Pq: Name CVE-2025-59466.patch

lib: add TLSSocket default error handler

This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
```

PR-URL: https://github.com/nodejs-private/node-private/pull/797
Fixes: https://github.com/nodejs/node/issues/44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465

Gbp-Pq: Name CVE-2025-59465.patch

src,lib: refactor unsafe buffer creation to remove zero-fill toggle

This removes the zero-fill toggle mechanism that allowed JavaScript
to control ArrayBuffer initialization via shared memory. Instead,
unsafe buffer creation now uses a dedicated C++ API.

Refs: https://hackerone.com/reports/3405778
Co-Authored-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Co-Authored-By: Joyee Cheung <joyeec9h3@gmail.com>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/759
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/799
CVE-ID: CVE-2025-55131

origin: backport, https://github.com/nodejs/node/commit/51f4de4b4a52b5b0eb2c63ecbb4126577e05f636

Gbp-Pq: Name CVE-2025-55131.patch

Fix CVE-2024-24806

Bug: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
Bug-Debian: https://bugs.debian.org/1063484
Origin: https://github.com/libuv/libuv
git diff v1.48.0~5..v1.48.0~2

From upstream change log:
   Merge pull request from GHSA-f74f-cvh7-c6q6
    * fix: always zero-terminate idna output
    * fix: reject zero-length idna inputs
    * test: empty strings are not valid IDNA

See also https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
===================================================================

Gbp-Pq: Topic libuv
Gbp-Pq: Name fix-cve-2024-24806

fix undefined path_max for st_size zero

Bug-Ubuntu: https://bugs.launchpad.net/bugs/1792647
Bug-Debian: https://bugs.debian.org/909011
Reviewed-by: dod
The downstream 'path_max' patch in Debian sets the buffer size
for readlink() to the 'st_size' value obtained with lstat().

However, it might be zero for some symlinks in /proc on Linux
(notably /proc/self) leading to readlink() failing with EINVAL.

    $ strace -e lstat stat /proc/self 2>&1 \
        | grep -e lstat -e File: -e Size:
    lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
      File: /proc/self -> 30875
      Size: 0             Blocks: 0          IO Block: 1024   symbolic link

This causes readlink (tool) to files like /dev/stdin to fail,
which may link to /proc/self/fd/0 on containers or elsewhere.

Test-case:

    ubuntu@cosmic:~/node$
    $ strace -E LD_LIBRARY_PATH=/usr/local/lib/ -f -e lstat,readlink \
      node test/parallel/test-fs-realpath-pipe.js

With path_max:

    [pid 17785] lstat("/dev", {st_mode=S_IFDIR|0755, st_size=480, ...}) = 0
    [pid 17786] lstat("/dev/stdin", {st_mode=S_IFLNK|0777, st_size=15, ...}) = 0
    [pid 17788] lstat("/dev/stdin", {st_mode=S_IFLNK|0777, st_size=15, ...}) = 0
    [pid 17788] readlink("/dev/stdin", "/proc/self/fd/0", 15) = 15

    [pid 17785] lstat("/proc", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 17786] lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
    [pid 17788] lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
    [pid 17788] readlink("/proc/self", 0x7f2a6c000b40, 0) = -1 EINVAL (Invalid argument)

Without path_max:

    [pid 18114] lstat("/dev", {st_mode=S_IFDIR|0755, st_size=480, ...}) = 0
    [pid 18114] lstat("/dev/stdin", {st_mode=S_IFLNK|0777, st_size=15, ...}) = 0
    [pid 18114] readlink("/dev/stdin", "/proc/self/fd/0", 4096) = 15

    [pid 18114] lstat("/proc", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 18114] lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
    [pid 18114] readlink("/proc/self", "18114", 4096) = 5

    [pid 18114] lstat("/proc/18114", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 18114] lstat("/proc/18114/fd", {st_mode=S_IFDIR|0500, st_size=0, ...}) = 0
    [pid 18114] lstat("/proc/18114/fd/0", {st_mode=S_IFLNK|0700, st_size=64, ...}) = 0
    [pid 18114] readlink("/proc/18114/fd/0", "socket:[199607]", 4096) = 15

With this patch on top of path_max:

    [pid 18433] lstat("/dev", {st_mode=S_IFDIR|0755, st_size=480, ...}) = 0
    [pid 18433] lstat("/dev/stdin", {st_mode=S_IFLNK|0777, st_size=15, ...}) = 0
    [pid 18433] lstat("/dev/stdin", {st_mode=S_IFLNK|0777, st_size=15, ...}) = 0
    [pid 18433] readlink("/dev/stdin", "/proc/self/fd/0", 15) = 15

    [pid 18433] lstat("/proc", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 18433] lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
    [pid 18433] lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
    [pid 18433] readlink("/proc/self", "18433", 256) = 5

    [pid 18433] lstat("/proc/18433", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
    [pid 18433] lstat("/proc/18433/fd", {st_mode=S_IFDIR|0500, st_size=0, ...}) = 0
    [pid 18433] lstat("/proc/18433/fd/0", {st_mode=S_IFLNK|0700, st_size=64, ...}) = 0
    [pid 18433] lstat("/proc/18433/fd/0", {st_mode=S_IFLNK|0700, st_size=64, ...}) = 0
    [pid 18433] readlink("/proc/18433/fd/0", "socket:[191351]", 64) = 15
Reviewed-by: dod
Gbp-Pq: Topic libuv
Gbp-Pq: Name path_max_zero_st_size

Get libuv nodejs in sync with libuv/bookworm

forwarded: not-needed

Gbp-Pq: Topic libuv
Gbp-Pq: Name 0000-bookworm-sync.patch

openssl 3.0.14 returns a different code.

Forwarded: not-needed

Gbp-Pq: Topic build
Gbp-Pq: Name openssl_3014.patch

some tests fail on mips64el and mipsel

Forwarded: not-needed

That architecture support improves over time - node 20.x branch has better support for mips64el
Meanwhile, let those tests fail.

Gbp-Pq: Topic mips
Gbp-Pq: Name flaky_tests.patch

test runner output fails on some cwd - fix regexp

Last-Update: 2023-11-30
Forwarded: https://github.com/nodejs/node/pull/50980

Gbp-Pq: Topic build
Gbp-Pq: Name test_runner_escape_path.patch

disable test because it depends on postject, which is dfsg-excluded

Last-Update: 2023-11-30
Forwarded: not-needed

HELP is welcome to solve this

Gbp-Pq: Topic build
Gbp-Pq: Name disable_sea_dfsg_postject.patch

build using ada upstream tarball component

Last-Update: 2023-11-30
Forwarded: not-needed

Gbp-Pq: Topic build
Gbp-Pq: Name ada.patch

Harmonize V8 stack sizes on ARM architectures to match almost all other architectures

Last-Update: 2023-02-28
Forwarded: https://github.com/nodejs/node/issues/41163

Gbp-Pq: Topic arm64
Gbp-Pq: Name stacksize.patch

Use system paths for builtins

Last-Update: 2023-02-22
Forwarded: not-needed

Gbp-Pq: Topic build
Gbp-Pq: Name test_process_versions.patch

fix link to home in html api

Forwarded: not needed, in conflict with the meaning of home page
Last-Update: 06-11-2022

Gbp-Pq: Topic build
Gbp-Pq: Name doc_template_home.html

allow vfp2 and allow setting arm_version option

Last-Update: 2022-08-29
Forwarded: https://github.com/nodejs/node/issues/44357

Gbp-Pq: Topic armel
Gbp-Pq: Name configure.patch

test does not pass on riscv64

Last-Update: 2022-12-14
Forwarded: not-yet

Gbp-Pq: Topic riscv
Gbp-Pq: Name flaky_tests.patch

skip buffer NaN internal representation check this fails on whatever archs having other internal representations of NaN.

Last-Update: 2022-05-02
Forwarded: https://github.com/nodejs/node/issues/42945

Gbp-Pq: Topic build
Gbp-Pq: Name skip-buffer-nan-internal-check.patch

fix double register usage on mipsel

Forwarded: not-yet
Last-Update: 2022-06-15

Gbp-Pq: Topic mips
Gbp-Pq: Name mipsel_even_register_fix.patch

mipsel in debian supports 32-bit processors

Forwarded: not-needed
Last-Update: 2021-11-03

Gbp-Pq: Topic mips
Gbp-Pq: Name mipsel_is_32.patch

mksnapshot uses too much memory on 32-bit mipsel

Last-Update: 2020-06-03
Forwarded: https://bugs.chromium.org/p/v8/issues/detail?id=10586

Gbp-Pq: Topic mips
Gbp-Pq: Name less_mem.patch

use configuration directive to set mips fpu mode

Forwarded: https://github.com/paul99/v8m-rb/issues/192
Last-Update: 2015-09-29

Gbp-Pq: Topic mips
Gbp-Pq: Name fpu.patch

fix compilation error on mipsel target

Last-Update: 2021-10-28
Forwarded: https://github.com/nodejs/node/issues/40624

Gbp-Pq: Topic mips
Gbp-Pq: Name compilation_error.patch

remove google font from template.html, and link to local

Last-Update: 2015-09-09
Forwarded: not-needed

Gbp-Pq: Topic dfsg
Gbp-Pq: Name privacy_breach.patch

Multiarch search path, arch triplet, DFHS path for modules

Last-Update: 2018-09-30
Last-Update: 2020-03-04
Forwarded: https://github.com/nodejs/node/issues/22745
Reviewed-By: Xavier Guimard <yadd@debian.org>
Gbp-Pq: Topic dfsg
Gbp-Pq: Name multilib_modules.patch

a test uses a benchmark that read alice.html, dfsg excluded

Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2020-03-04

Gbp-Pq: Topic dfsg
Gbp-Pq: Name benchmark_without_alice.patch

use system-installed node-gyp for building test modules

Last-Update: 2015-09-09
Forwarded: not-needed

Gbp-Pq: Topic deps
Gbp-Pq: Name node_gyp.patch

do not use dns.ADDRCONFIG for localhost

Last-Update: 2020-06-11
Bug-Debian: https://bugs.debian.org/962318
Forwarded: https://github.com/nodejs/node/issues/33816

it fails on IPv6-only systems. Setting it with libc fails on linux.
https://github.com/nodejs/node/issues/33279

Gbp-Pq: Topic deps
Gbp-Pq: Name localhost-no-addrconfig.patch

keep nodejs compatible with libc-ares public headers

Forwarded: not-needed
Last-Update: 2021-10-20

Gbp-Pq: Topic deps
Gbp-Pq: Name cares.patch

adapt test-ci build target for buildd

Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2020-02-09

* run tests with ./node
* remove addons from test-ci suite, because it creates a dependency loop
  nodejs -> node-gyp -> nodejs which is painful to manage.
* disabled because it requires stdin:
  + test-stdout-close-unref
  + test-regress-GH-746
* test-tick-processor fails on ppc64 and s390x, currently investigated
  https://github.com/nodejs/node/issues/2471
* test-cluster-disconnect sometimes fails on busy buildd, forwarded upstream
  https://github.com/nodejs/node/issues/3383
* test-fs-watch is flaky, might be related to https://github.com/nodejs/node/issues/4082
* huge timeout value for all platforms, buildd could be busy
* test-npm-install and test-release-npm must fail, debian package dfsg-repacked npm out
* ability to override CI_NATIVE_SUITES, CI_JS_SUITES
* disable tests failing because DNS is disabled
* sequential/test-http2-session-timeout is flaky https://github.com/nodejs/node/issues/20628

Gbp-Pq: Topic build
Gbp-Pq: Name test_ci.patch

Link to -latomic by default

Last-Update: 2019-10-25
Forwarded: not-needed
Bug: https://github.com/nodejs/node/pull/28532
Bug: https://github.com/nodejs/node/issues/30093

This avoids surprises on mips*el/ppc*el

Gbp-Pq: Topic build
Gbp-Pq: Name flag_atomic.patch

build doc using marked and js-yaml

Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2021-03-03

While waiting for unified/remarked/rehyped modules to be available in debian

Gbp-Pq: Topic build
Gbp-Pq: Name doc.patch

do not build cctest, build broken on debian

Last-Update: 2017-12-18
Forwarded: not yet !

Gbp-Pq: Topic build
Gbp-Pq: Name cctest_disable.patch

add acorn, walk to shared builtins

Last-Update: 2022-09-28
Forwarded: https://github.com/nodejs/node/pull/44376

Gbp-Pq: Topic build
Gbp-Pq: Name more_shareable_builtins.patch

debian openssl in testing or sid (3.0.11, 3.1.4) does not seem to have that different behavior

Last-Update: 2023-11-03

Gbp-Pq: Topic build
Gbp-Pq: Name openssl_3011_without_new_error_message.patch

[PATCH] Add a CipherString for nodejs

If the default security level is overwritten at build time of openssl
then it is needed to lower it again for nodejs in order to pass the
testsuite because it is using smoil keys.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Gbp-Pq: Topic build
Gbp-Pq: Name openssl_config_explicit_lower.patch

nodejs (18.20.4+dfsg-1~deb12u2) bookworm-security; urgency=medium

  * Team upload
  * Fix CVE-2025-23085:
    A memory leak could occur when a remote peer abruptly closes
    the socket without sending a GOAWAY notification. Additionally,
    if an invalid header was detected by nghttp2, causing the
    connection to be terminated by the peer, the same leak was
    triggered. This flaw could lead to increased memory consumption
    and potential denial of service under certain conditions
    (Closes: #1094134)
  * Fix CVE-2025-23166:
    The C++ method SignTraits::DeriveBits() may incorrectly call
    ThrowException() based on user-supplied inputs when executing
    in a background thread, crashing the Node.js process.
    Such cryptographic operations are commonly applied to
    untrusted inputs. Thus, this mechanism potentially allows
    an adversary to remotely crash a Node.js runtime.
    (Closes: #1105832)
  * Fix CVE-2025-55131:
    A flaw in Node.js's buffer allocation logic can expose uninitialized
    memory when allocations are interrupted, when using the `vm` module
    with the timeout option. Under specific timing conditions, buffers
    allocated with `Buffer.alloc` and other `TypedArray` instances like
    `Uint8Array` may contain leftover data from previous operations,
    allowing in-process secrets like tokens or passwords to leak or
    causing data corruption. While exploitation typically requires precise
    timing or in-process code execution, it can become remotely
    exploitable when untrusted input influences workload and timeouts,
    leading to potential confidentiality and integrity impact.
  * Fix CVE-2025-59465:
    A malformed `HTTP/2 HEADERS` frame with oversized, invalid
    `HPACK` data can cause Node.js to crash by triggering an
    unhandled `TLSSocket` error `ECONNRESET`. Instead of safely
    closing the connection, the process crashes, enabling a remote
    denial of service. This primarily affects applications that
    do not attach explicit error handlers to secure sockets,
    for example: ``` server.on('secureConnection', socket =>
    { socket.on('error', err => { console.log(err) }) }) ```
  * Fix CVE-2025-59466:
    async_hooks would cause stack overflow
    exceptions to exit with code 7 (kExceptionInFatalExceptionHandler)
    instead of being catchable.
    When a stack overflow exception occurs during async_hooks callbacks
    (which use TryCatchScope::kFatal), detect the specific "Maximum call
    stack size exceeded" RangeError and re-throw it instead of immediately
    calling FatalException. This allows user code to catch the exception
    with try-catch blocks instead of requiring uncaughtException handlers.
  * Fix CVE-2025-23166:
    A flaw in Node.js TLS error handling allows remote attackers to crash
    or exhaust resources of a TLS server when `pskCallback` or
    `ALPNCallback` are in use. Synchronous exceptions thrown during these
    callbacks bypass standard TLS error handling paths (tlsClientError and
    error), causing either immediate process termination or silent file
    descriptor leaks that eventually lead to denial of service. Because
    these callbacks process attacker-controlled input during the TLS
    handshake, a remote client can repeatedly trigger the issue. This
    vulnerability affects TLS servers using PSK or ALPN callbacks across.
  * Fix CVE-2026-21710:
    A flaw in Node.js HTTP request handling causes an uncaught `TypeError`
    when a request is received with a header named `__proto__` and the
    application accesses `req.headersDistinct`. When this occurs,
    `dest["__proto__"]` resolves to `Object.prototype` rather than
    `undefined`, causing `.push()` to be called on a non-array. This
    exception is thrown synchronously inside a property getter and cannot
    be intercepted by `error` event listeners, meaning it cannot be
    handled without wrapping every `req.headersDistinct` access in a
    `try/catch`
  * Fix  CVE-2026-21713:
    A flaw in Node.js HMAC verification uses a non-constant-time
    comparison when validating user-provided signatures, potentially
    leaking timing information proportional to the number of matching
    bytes. Under certain threat models where high-resolution timing
    measurements are possible, this behavior could be exploited as a
    timing oracle to infer HMAC values. Node.js already provides
    timing-safe comparison primitives used elsewhere in the codebase,
    indicating this is an oversight rather than an intentional design
    decision.
  * Fix CVE-2026-21714:
    A memory leak occurs in Node.js HTTP/2 servers when a client sends
    WINDOW_UPDATE frames on stream 0 (connection-level) that cause the
    flow control window to exceed the maximum value of 2³¹-1. The server
    correctly sends a GOAWAY frame, but the Http2Session object is never
    cleaned up.

[dgit import unpatched nodejs 18.20.4+dfsg-1~deb12u2]

Import nodejs_18.20.4+dfsg-1~deb12u2.debian.tar.xz

[dgit import tarball nodejs 18.20.4+dfsg-1~deb12u2 nodejs_18.20.4+dfsg-1~deb12u2.debian.tar.xz]

Merge version 18.19.0+dfsg-6~deb12u2+rpi1 and 18.20.4+dfsg-1~deb12u1 to produce 18.20.4+dfsg-1~deb12u1+rpi1

Merge nodejs (18.20.4+dfsg-1~deb12u1) import into refs/heads/workingbranch

Import nodejs_18.20.4+dfsg.orig.tar.xz

[dgit import orig nodejs_18.20.4+dfsg.orig.tar.xz]

Import nodejs_18.20.4+dfsg.orig-ada.tar.xz

[dgit import orig nodejs_18.20.4+dfsg.orig-ada.tar.xz]

Import nodejs_18.20.4+dfsg.orig-types-node.tar.xz

[dgit import orig nodejs_18.20.4+dfsg.orig-types-node.tar.xz]