-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 Mar 2026 11:05:11 +0100 Source: nodejs Binary: libnode-dev libnode115 libnode115-dbgsym nodejs nodejs-dbgsym Architecture: riscv64 Version: 20.19.2+dfsg-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: riscv64 Build Daemon (rv-manda-01) Changed-By: Jérémy Lal Description: libnode-dev - evented I/O for V8 javascript (development files) libnode115 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Changes: nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium . * Upstream security patches: + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY + CVE-2026-21637: TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized invalid `HPACK` data can cause a crash. + CVE-2025-55132: permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. + CVE-2025-55130: permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. + CVE-2025-59466: "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. + CVE-2025-55131: buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. * Upstream critical fixes (see sec/NN patches) + zlib: fix pointer alignment (10) + os: fix GetInterfaceAddresses memory leak (15) + src: fix possible dereference of null pointers (17, 29) + v8: fix missing callback in heap utils destroy (19) + v8: loong64 - avoid memory access under stack pointer (27) + http2: do not crash on mismatched ping buffer length (28) + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44) Checksums-Sha1: f6337d7de4e2455ac956513cfb3f553f4a8a76ea 536192 libnode-dev_20.19.2+dfsg-1+deb13u1_riscv64.deb ec6622d5fed6101a75e82b69efce9d1b4f7708e4 950149192 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_riscv64.deb f29f941f1dbbbc34a3a9fafb6ada35dbc69b3896 12450572 libnode115_20.19.2+dfsg-1+deb13u1_riscv64.deb 47de8ed0c5072dd45682fc3ca1233ce10f7edf0b 82888 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_riscv64.deb cbbd684676188708b7fee48784ae2dabc631bed8 10865 nodejs_20.19.2+dfsg-1+deb13u1_riscv64-buildd.buildinfo 7e24908146b08ed5f8b9bbe375283e81aa5e1e14 352832 nodejs_20.19.2+dfsg-1+deb13u1_riscv64.deb Checksums-Sha256: 0faf843d37983c25a6721294032757d9775e32758c1069328b327120c1f7b7e5 536192 libnode-dev_20.19.2+dfsg-1+deb13u1_riscv64.deb 93fad2e928158860a6ae581c31e9d7ec7b4108ec7288df61ee599c280a4c7883 950149192 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_riscv64.deb 6cd885eab2b607b7c7655bbdd7b16e0ffd6c60f06eb0cc0e222b5f92aaeee8b6 12450572 libnode115_20.19.2+dfsg-1+deb13u1_riscv64.deb 63c622117f64a4a485faee38753605d6249e5074b1b10a16f4efe571098caa65 82888 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_riscv64.deb 1e74f84c75069b574ba839ce0f614a477e3fa940828b1a41e88ea9b7d6718561 10865 nodejs_20.19.2+dfsg-1+deb13u1_riscv64-buildd.buildinfo 083438ba5f95d92df3848af59a4076a4bba92a8d3249bba4f2ea014f57cc5933 352832 nodejs_20.19.2+dfsg-1+deb13u1_riscv64.deb Files: a602a4d44de0dc09f1e4825c823c80c0 536192 libdevel optional libnode-dev_20.19.2+dfsg-1+deb13u1_riscv64.deb b6f932284609c495e79fc156b0319bc7 950149192 debug optional libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_riscv64.deb 91dd9497251c519be93d43b849b624e5 12450572 libs optional libnode115_20.19.2+dfsg-1+deb13u1_riscv64.deb 342ff9d2e9d725649c71fa097f95b512 82888 debug optional nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_riscv64.deb e5c5a271968946cfc82abfa25ebd46f1 10865 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_riscv64-buildd.buildinfo d2d5c861096b8c10ad098ffd258a41be 352832 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_riscv64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwN+C+Bc8deN4UliX50ghctvtZFQFAmm2BS8ACgkQ50ghctvt ZFTdVRAAvfC+cwVEe7eGfybtk0383EPGXaW7NXUQQSQxuHdw0CV/iXNxU4GTUl9e W4w0nRds65AxXqDul5OCvvn9V22Ailojkk6il/UGnLBLYLDnMk2NAc3d53ovx7j/ HqK6tmOZsLkH92kd0ihQvELxO/Akk0go9K2j2GJKMwgKvi5rZp6xC/iVrQrGxiOl Gee53fnczgR6XeWVWQLaa52JbsxARfDU1s01DTCgxH8WLyoIrhIc6MjQ7s1hnBPj mGLy6+ZW6oVk5hjuA5KaeznXrqQsdqOw3GPdFiYKLG5P/pp0l3lRwX6c9eqEwEWs 3cvm2+L3WnsSC8zcdvBTZ5wLnB3HL8PNkkRmALCyCzwpz83qy2fWeP0B/vgT78DL j7G2X8iFsgrIAwjbWA6S6yK5lYCkovu6HbTaOnK5JmKzhVpqdtwWfPiXldno/LeJ i/NGCB2fHNp7+KXsNQj0BEssmOjKv3yswtoey5O7xx3lAyWgWdzg4lsgJwRkuM7C oI33CRkVbP2xM/4EfkNqoQQY6lAN3MvN76p68+Kd1tTU+uR/QH/9PfTcd2WfjtkI oyGB6U+0x6bZrXyDHgxQtV3FjkhOqawzruxhkRMon+t7ehyTwAVgveD3kNYYQaC7 xTmcuzYnKfhi5PEFUMHL5hPTIPxcOmqGGoXxGIsC+tCKbVHO9Gk= =/2Aw -----END PGP SIGNATURE-----