-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Mar 2026 11:05:11 +0100
Source: nodejs
Binary: libnode-dev libnode115 libnode115-dbgsym nodejs nodejs-dbgsym
Architecture: armhf
Version: 20.19.2+dfsg-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: arm Build Daemon (arm-conova-01) <buildd_arm64-arm-conova-01@buildd.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description:
 libnode-dev - evented I/O for V8 javascript (development files)
 libnode115 - evented I/O for V8 javascript - runtime library
 nodejs     - evented I/O for V8 javascript - runtime executable
Changes:
 nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium
 .
   * Upstream security patches:
     + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY
     + CVE-2026-21637: TLS error handling allows remote attackers to
       crash or exhaust resources of a TLS server when `pskCallback`
       or `ALPNCallback` are in use.
     + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized
       invalid `HPACK` data can cause a crash.
     + CVE-2025-55132: permission model allows a file's access and
       modification timestamps to be changed via `futimes()` even when
       the process has only read permissions.
     + CVE-2025-55130: permissions model allows attackers to bypass
       `--allow-fs-read` and `--allow-fs-write` restrictions using
       crafted relative symlink paths.
     + CVE-2025-59466: "Maximum call stack size exceeded" errors become
       uncatchable when `async_hooks.createHook()` is enabled.
     + CVE-2025-55131: buffer allocation logic can expose uninitialized
       memory when allocations are interrupted, when using the `vm` module
       with the timeout option.
   * Upstream critical fixes (see sec/NN patches)
     + zlib: fix pointer alignment (10)
     + os: fix GetInterfaceAddresses memory leak (15)
     + src: fix possible dereference of null pointers (17, 29)
     + v8: fix missing callback in heap utils destroy (19)
     + v8: loong64 - avoid memory access under stack pointer (27)
     + http2: do not crash on mismatched ping buffer length (28)
     + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44)
Checksums-Sha1:
 e2262d8b88340d6db886603c23c62c7913e222dd 536236 libnode-dev_20.19.2+dfsg-1+deb13u1_armhf.deb
 b25d555e3c4b2b9605ff99ea80bcc2b173b84028 39142736 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_armhf.deb
 2b50af13796b6fa7d337c65a612e2391184cc817 10215152 libnode115_20.19.2+dfsg-1+deb13u1_armhf.deb
 75189b71b78372b6273ba90a3bb7a42b352edb3d 3256 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_armhf.deb
 a0930da0012ff3262b02047c43a62da6d8063125 10763 nodejs_20.19.2+dfsg-1+deb13u1_armhf-buildd.buildinfo
 a88263668340f6628592075dd39ab3c8fa6ad75b 352876 nodejs_20.19.2+dfsg-1+deb13u1_armhf.deb
Checksums-Sha256:
 e99c773dc75a6313b5decf3d34866782804af504583000eff99d07edd54ff229 536236 libnode-dev_20.19.2+dfsg-1+deb13u1_armhf.deb
 468c0c270fa84cec6b4e71e7246942ca786f3aca66e15c08324669a07d60c5f1 39142736 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_armhf.deb
 ebdf725ad0e9eb75fe5bad7a086158dac102e8ad31abd48fc820ea8fc8b103e6 10215152 libnode115_20.19.2+dfsg-1+deb13u1_armhf.deb
 811cbd1bd9d3f406b252dd7586d58d992f8def3d319152d8865a2e4a3a5ce787 3256 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_armhf.deb
 a2c8f70580214bea56dad758ecf3eeecad3e1c9a21852338f22f0c77759dcbbf 10763 nodejs_20.19.2+dfsg-1+deb13u1_armhf-buildd.buildinfo
 56e86fcc491a5709aa81c324ae09bd3df65f11c00592d38e966b501f6251e98b 352876 nodejs_20.19.2+dfsg-1+deb13u1_armhf.deb
Files:
 5e1ab45a1f90a96086f98be7cd6ab6b0 536236 libdevel optional libnode-dev_20.19.2+dfsg-1+deb13u1_armhf.deb
 3d0683a881cfd7449d12b67c428c0bbb 39142736 debug optional libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_armhf.deb
 f917b77594ef9174b7ae5ff28c65e022 10215152 libs optional libnode115_20.19.2+dfsg-1+deb13u1_armhf.deb
 1410c37039fba4c3fb9e72a281463554 3256 debug optional nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_armhf.deb
 41f35931b3b0c9ce67670280c0db27d7 10763 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_armhf-buildd.buildinfo
 2a8878add6c6277a6c1f7b8ba6b5800f 352876 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_armhf.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO4qAQUSIo2p/kVRf8U6eOZMpj68FAmm0x/cACgkQ8U6eOZMp
j6/WOA/+OmfwFQkVwaNh62Ct0VOq6+iMmCff6mVL9Kg6VRqKxOeCvY/LFNfPJG3J
Dz+dAWrSNSKoW0wa1h/3XfhPX4WOUMM0/sTyPj3ehiis/cRj/6T0WiBVW2b25Nvu
UqTorM/YlEPoySajra5oUMlDUIYCbjlT+DAJiPtKtF70Oi5q+koyPkYcabVxVwm9
ui9i53jOuZoe64CaRz9ZVsMnNpxA8WDtxboUJIW48QYV7aVzJ07HVGgx4S4irZha
BPBGunbDQusgx1GIqhWJlchoGHnl+EXhvIpf6h/MNgz67Vlh6GX8uxh9hD76NY8S
VpBBO2uonRJtZgmWBkflqcF2nEzimnEls1kibz5Gyle1tJbBEIL6cqBAT9Ffg7Ar
T9kXEtmhpjbYSdT3ZB0l9W/wVdxuO9j8v2XLclaMcL1qTC4iBOZkbBh7FQtdpX6L
TDXE8/umLLv0E+O6LDjMRfrdv+BTXBE1PQYQVp3GaLTlLQE0HrFHudJCKYqC403G
izcPJwRr4GA/tV+oKWT325KOXBBxFO2ftc+DGVfwkeoh23aW+J8MZJ4kCMAR4DYD
R+uM8NAncnfdFPh1ZiH3HzBhEW6++0lTSeQEdd+1yIjanfrYuvr3rCrbdMNfyQuz
V4TkDKYWpesHO85okXOp+8bD1btlnC8um/LbL40HXoGaZMp7L+8=
=2wnN
-----END PGP SIGNATURE-----