-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Mar 2026 11:05:11 +0100
Source: nodejs
Binary: libnode-dev libnode115 libnode115-dbgsym nodejs nodejs-dbgsym
Architecture: amd64
Version: 20.19.2+dfsg-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) <buildd_amd64-x86-ubc-02@buildd.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description:
 libnode-dev - evented I/O for V8 javascript (development files)
 libnode115 - evented I/O for V8 javascript - runtime library
 nodejs     - evented I/O for V8 javascript - runtime executable
Changes:
 nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium
 .
   * Upstream security patches:
     + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY
     + CVE-2026-21637: TLS error handling allows remote attackers to
       crash or exhaust resources of a TLS server when `pskCallback`
       or `ALPNCallback` are in use.
     + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized
       invalid `HPACK` data can cause a crash.
     + CVE-2025-55132: permission model allows a file's access and
       modification timestamps to be changed via `futimes()` even when
       the process has only read permissions.
     + CVE-2025-55130: permissions model allows attackers to bypass
       `--allow-fs-read` and `--allow-fs-write` restrictions using
       crafted relative symlink paths.
     + CVE-2025-59466: "Maximum call stack size exceeded" errors become
       uncatchable when `async_hooks.createHook()` is enabled.
     + CVE-2025-55131: buffer allocation logic can expose uninitialized
       memory when allocations are interrupted, when using the `vm` module
       with the timeout option.
   * Upstream critical fixes (see sec/NN patches)
     + zlib: fix pointer alignment (10)
     + os: fix GetInterfaceAddresses memory leak (15)
     + src: fix possible dereference of null pointers (17, 29)
     + v8: fix missing callback in heap utils destroy (19)
     + v8: loong64 - avoid memory access under stack pointer (27)
     + http2: do not crash on mismatched ping buffer length (28)
     + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44)
Checksums-Sha1:
 ad2834fb8988fe03b44f8f1731ea85544267a9f1 536264 libnode-dev_20.19.2+dfsg-1+deb13u1_amd64.deb
 556a04881a7b0c04989a8df6065dcf3f8031f61a 1033880928 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_amd64.deb
 38e6701c9725a4eeb71c30e33659d66bb29e2bcd 12120932 libnode115_20.19.2+dfsg-1+deb13u1_amd64.deb
 df7dbd5dfae9e3f42b59e4d6d04d75f62cfb8bc7 82564 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_amd64.deb
 cc9ed6ff90fbdd4285e98867667ab25743f92383 10906 nodejs_20.19.2+dfsg-1+deb13u1_amd64-buildd.buildinfo
 a76f1fcddc7a46d108731b56a0e5e0d15cb41f87 352856 nodejs_20.19.2+dfsg-1+deb13u1_amd64.deb
Checksums-Sha256:
 7a5b7501d50cc34ca1c3460023be3fc25ebcac4af7e96fa79a712a32dd4299b2 536264 libnode-dev_20.19.2+dfsg-1+deb13u1_amd64.deb
 4a8b893c46ca54d066e061ccb2bf4c5a9a51a439f1e77c1d678028106f6583b3 1033880928 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_amd64.deb
 4de9ffd2bc13fc55e0f38bd1d7bd9e453f22d6fc8765b592cc2c8c4a4d4afa44 12120932 libnode115_20.19.2+dfsg-1+deb13u1_amd64.deb
 7ce3aaf344f3517e184c1643bdccd93223f9e3b4fad17c091e57c414b6e224c6 82564 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_amd64.deb
 e9d3fa69506f636f97a702c4390e0c7390a25ae51a6163f5537ba0befff9f0a4 10906 nodejs_20.19.2+dfsg-1+deb13u1_amd64-buildd.buildinfo
 dc20ae76ef26eeec6c6644987b825bec94c279485fcb8ba31969df88f85bc2b7 352856 nodejs_20.19.2+dfsg-1+deb13u1_amd64.deb
Files:
 db1fd82e42b1cf5a63d5385936cc31c3 536264 libdevel optional libnode-dev_20.19.2+dfsg-1+deb13u1_amd64.deb
 f283c0a8e06fe6030f2603fcff254785 1033880928 debug optional libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_amd64.deb
 3a6e4af11c86e8b1b012110c1dcdaa32 12120932 libs optional libnode115_20.19.2+dfsg-1+deb13u1_amd64.deb
 f5efdca3a072ab45526dda849eff1203 82564 debug optional nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_amd64.deb
 76403d060a8c3aa217404ca4e9a47854 10906 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_amd64-buildd.buildinfo
 9d47a128f6c9e21fa9a042fb0742e4fc 352856 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEb5EwsJvHBEjqIJYIbheoBegwXLIFAmm0jFgACgkQbheoBegw
XLK0+w/+NI1IFDuZmRI5iEFspbQl5BbSurfie+GFfa7j3y0nTP92Z/SqAhyoH59F
HYpqyQAN2OKpIdo/xPCehmmMEYtf64xovEfiUmijUZvtmtVOLhKe43c+pmjOjYza
fm2PaCRMz+pSoPZ7UciN9yaoMxOJ2C5QmVo7KiSV/8eOq9mks6QlYOqsjOn9viLd
tB6Ts3kapZQUEus5+dZQVsB2ZiDlIvaa0CmK2HmkGjKd3ReBoVD33lQOYTAW68ub
7p+JHWxrZtgM0KDlMGo/384jy642ZF8Pk28AIgbIciB3jwqkwJMBKd6tAT9ZdzCJ
EVVuKSklPmiNoPIeB6WhIHMzt3JUb+fH+Qg/9hJR7hz/HOyT9G0qIBcdKSRlzLdt
6VZLoRj/MhgzVaApa1GH9umwGzh0Ex+4bIH5wGz9rjeBVjS3JQ76NnmRHeoRw3ZN
/zP85n1TX4B8uDGnlVQit66Bzzo1YRaYf0P8HbhhAMaIGhpnNyDAg0jS3LUiFjir
gVO8pN0TFnMLhvCljYn9KWsxZ6ZZ1dWDOodUruUJHJ6mGcpSU18uz9w4QO66i35W
WNNNDk0HpbC6eV1y9fCs+DmZ8xmF4T7cCI1pWSXokdvtyI+oFXJsDrMaWlwqL85B
0DnDZQ2pJuNbgnlgemdJJgEoeW1YueLnxWsxzyJPryHv6lUXYSE=
=WSwd
-----END PGP SIGNATURE-----