-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Mar 2026 11:05:11 +0100
Source: nodejs
Binary: libnode-dev libnode115 libnode115-dbgsym nodejs nodejs-dbgsym
Architecture: i386
Version: 20.19.2+dfsg-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) <buildd_amd64-x86-conova-02@buildd.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description:
 libnode-dev - evented I/O for V8 javascript (development files)
 libnode115 - evented I/O for V8 javascript - runtime library
 nodejs     - evented I/O for V8 javascript - runtime executable
Changes:
 nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium
 .
   * Upstream security patches:
     + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY
     + CVE-2026-21637: TLS error handling allows remote attackers to
       crash or exhaust resources of a TLS server when `pskCallback`
       or `ALPNCallback` are in use.
     + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized
       invalid `HPACK` data can cause a crash.
     + CVE-2025-55132: permission model allows a file's access and
       modification timestamps to be changed via `futimes()` even when
       the process has only read permissions.
     + CVE-2025-55130: permissions model allows attackers to bypass
       `--allow-fs-read` and `--allow-fs-write` restrictions using
       crafted relative symlink paths.
     + CVE-2025-59466: "Maximum call stack size exceeded" errors become
       uncatchable when `async_hooks.createHook()` is enabled.
     + CVE-2025-55131: buffer allocation logic can expose uninitialized
       memory when allocations are interrupted, when using the `vm` module
       with the timeout option.
   * Upstream critical fixes (see sec/NN patches)
     + zlib: fix pointer alignment (10)
     + os: fix GetInterfaceAddresses memory leak (15)
     + src: fix possible dereference of null pointers (17, 29)
     + v8: fix missing callback in heap utils destroy (19)
     + v8: loong64 - avoid memory access under stack pointer (27)
     + http2: do not crash on mismatched ping buffer length (28)
     + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44)
Checksums-Sha1:
 3729a1303aa93da6ebd60b7ffb9688b118fbd15f 561764 libnode-dev_20.19.2+dfsg-1+deb13u1_i386.deb
 3cc079e8581c4a259456804bcf0e82e7efa46053 40376548 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_i386.deb
 40f3e178c1f5f4de8df27e1f97237e6f1d285ebc 12204072 libnode115_20.19.2+dfsg-1+deb13u1_i386.deb
 b507a0c4efc159d9f4ef11a96864002089634941 2980 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_i386.deb
 0298cf1c3b40ebf997f5cc1417df9f90a10dc8a8 10832 nodejs_20.19.2+dfsg-1+deb13u1_i386-buildd.buildinfo
 2411c9620c2d4ad886b1d87c263beb41833fad2f 352868 nodejs_20.19.2+dfsg-1+deb13u1_i386.deb
Checksums-Sha256:
 790dd310eca8f98fc389997a5dddb7c6c2743cfbb9d01515a47f6deb6b453654 561764 libnode-dev_20.19.2+dfsg-1+deb13u1_i386.deb
 fce499437440a8f3c69dd82fa54db03dc0c01a58783a5ec733f9d58951b6df29 40376548 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_i386.deb
 2927244aa3ee5f67ab27a82f8fdc97497fd93f9dd9f416fb52c8b75b6f8e97c7 12204072 libnode115_20.19.2+dfsg-1+deb13u1_i386.deb
 6e4f4197275839f8739e8fc97c6ebca377d14a89797e077812f2533f0e227fe5 2980 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_i386.deb
 86b4add637fd10821bea3267ea2651d68cff87303ac4b060f5cd69b6387267a4 10832 nodejs_20.19.2+dfsg-1+deb13u1_i386-buildd.buildinfo
 e7ec0a68119ecfc1369b546bb2ca2f66cbc8ebb0e3adf8929ebc3a99fe72b2a5 352868 nodejs_20.19.2+dfsg-1+deb13u1_i386.deb
Files:
 a4e800c5026c967c8e033b7dade62b87 561764 libdevel optional libnode-dev_20.19.2+dfsg-1+deb13u1_i386.deb
 ca557e1c10eb6b8e9ee0d2dd4757a3f1 40376548 debug optional libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_i386.deb
 4bc3a970873fbe6242fb269811a77974 12204072 libs optional libnode115_20.19.2+dfsg-1+deb13u1_i386.deb
 db6154ca83b47f40bd525e10be450eb2 2980 debug optional nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_i386.deb
 6769dacb26a4a126e809872eb4a5a6d8 10832 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_i386-buildd.buildinfo
 c64c914214b7b2b9bc4d536c234f7fc2 352868 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+i/sCsF3puL4e7qIGNGWmfrqILEFAmm0yrwACgkQGNGWmfrq
ILGXKQ//a/P0G5FcXaXOjB+ogLp1w2REML7eHCVNGLrVrs4gU1rBu5CgF9GoFNL/
pxfPN587h26fehI09RrIgbnW7WntZUiRCyP0F5hqUi2hT9ej+cB4sLVMA8gRXyr8
agRrmy8hDKT4phDbT3Ko0YYchXg/wQhucU5gzFHupbza+5byvoMiqsB3B+HfWNSL
m7p/mdImayPXQKD2YODzxkiGjEKWqqlAmoaTKezJdD0D0BPgszKvfRnCRfpiJxQn
1uq3kq6CoK03NqUns5AUaQf6ZD2HHGF/oqeci57ln8ZVn9EAmPLDBQiPIiG6TW8o
jMLPl3qfiZg5/LpVX7aNIHmPku5kC7Bh1kaVISrIxQ8uunSJnvTwUVARVgi7ff0n
VwAm8baeH/XMKnjIJmcvvJjcF7AQpupg6he0FnCRAgivzZ5o4xVw7BorZRcKqG1s
Ru8z2/TY7ZeJxXGDDd1Am09323eKSqu6cLZ7ijNlmkATp52S0+aqcAFL6sPc3qG4
0lQQ/EgDvZ46m7HZQtHPxfQiH+GYVDJ2bdyfpsyA85z4XRr4kis+GC7rQKAmu7xH
a6jppueW1PUn0vX807kh6WOa39wBEqsziFVgj5YDKGuUJDcAdH/RAshqWpaqXWQM
Y89pWndGncK4jKAGGLC99RbJaKs3KZz3DxBa+9GRtQIrCxuu7pg=
=h1nZ
-----END PGP SIGNATURE-----