-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 Mar 2026 11:05:11 +0100 Source: nodejs Binary: libnode-dev libnode115 libnode115-dbgsym nodejs nodejs-dbgsym Architecture: s390x Version: 20.19.2+dfsg-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: s390x Build Daemon (zandonai) Changed-By: Jérémy Lal Description: libnode-dev - evented I/O for V8 javascript (development files) libnode115 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Changes: nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium . * Upstream security patches: + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY + CVE-2026-21637: TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized invalid `HPACK` data can cause a crash. + CVE-2025-55132: permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. + CVE-2025-55130: permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. + CVE-2025-59466: "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. + CVE-2025-55131: buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. * Upstream critical fixes (see sec/NN patches) + zlib: fix pointer alignment (10) + os: fix GetInterfaceAddresses memory leak (15) + src: fix possible dereference of null pointers (17, 29) + v8: fix missing callback in heap utils destroy (19) + v8: loong64 - avoid memory access under stack pointer (27) + http2: do not crash on mismatched ping buffer length (28) + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44) Checksums-Sha1: 82f0e3fcb677a0c22608f7de4c90fb45176f144b 536200 libnode-dev_20.19.2+dfsg-1+deb13u1_s390x.deb 72548a86b528cabbb6e2b171fddfdb8b28a3aa06 1076765052 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_s390x.deb 357b725e6cc185c149bad859eccac6ec07107af5 12148904 libnode115_20.19.2+dfsg-1+deb13u1_s390x.deb 55664d9373d96a729da6188729ef38313a965001 82552 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_s390x.deb fd156178c8390fe2c9f55bcab8fe57160db9b30a 10768 nodejs_20.19.2+dfsg-1+deb13u1_s390x-buildd.buildinfo fb5823dbfe04488d297b7ca8e9d8ad25e1de1e85 352780 nodejs_20.19.2+dfsg-1+deb13u1_s390x.deb Checksums-Sha256: 190eab3f50130234575c2f5ce4816e9f07e6d6a169285ba57f7abcd9203868d6 536200 libnode-dev_20.19.2+dfsg-1+deb13u1_s390x.deb 9d59463609d83f55440a78408a3b47b4af79e7a4c368cae374e0deae7d5435b0 1076765052 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_s390x.deb d4281f2607db63ca9d152a790066a0284751269895549f5639da29e4bab4405f 12148904 libnode115_20.19.2+dfsg-1+deb13u1_s390x.deb 6fa11265b14fe37b5982e30d369cc0826494cae180f46422dc3cfb081a53afc0 82552 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_s390x.deb 6b67170a3c723ce50ebbea34ddec56f646d2fc54f2f67bb7dcf9ff3408ce44f5 10768 nodejs_20.19.2+dfsg-1+deb13u1_s390x-buildd.buildinfo 020d1a2dd9d0c84ebdb3b3e78f1015670979d943fe2b475d75513fc6aba6be02 352780 nodejs_20.19.2+dfsg-1+deb13u1_s390x.deb Files: ef83b455306a0ac0dd2879a0b6550538 536200 libdevel optional libnode-dev_20.19.2+dfsg-1+deb13u1_s390x.deb 2dc47a9b4e01a15a24e2eb9f0ed79883 1076765052 debug optional libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_s390x.deb 3e72bc4d15936b15778f641cba51db30 12148904 libs optional libnode115_20.19.2+dfsg-1+deb13u1_s390x.deb 9485e83f809fd113d2df6ecfdd86c348 82552 debug optional nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_s390x.deb d1c5b2f91628eeec539e25b6e87b6160 10768 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_s390x-buildd.buildinfo ef51345f72f25f28e8c87a453cf72cd1 352780 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_s390x.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEENly2ANlpa4eeqnluvVOPI7pYNpgFAmm0nTwACgkQvVOPI7pY NpiAmRAAkUWwlXTj0krqRMaLBGnXL9gRXwkjP33LmEeKm2Y0mh2iKMl9aqaXTO3u 8izJmorkeP0dRy5Tng6z/ov5N+BnYdhoz9ZTvxFXa0U+sau056Qoa2hQJdLuT0we qzFeOllUivG0H2416RY29UdoRxUxtRCIRQ20ImvrieZubR6fFZx4HBSMQI1Z9jHS nhj7vl5i3gXSkfY1nMts+jxectjhoMoXuEtoHV3lj4nmqvboRYzZJjBtanyhOh22 KeWQAXD+W2m9huwxk2Tm+yVdle9AwvoryM5NyymCe8UY9ZZeJz51U5AcEzrHjp0c fK5oWv72q4wsVN4zGsh/tMWxTxRLrgKG6j8m+TuO+1C35MMBkhnzzd3HPtkRaFs9 lBKRU8M3Zr5xzieQybYqta2qbScCFwx3nxnw4ETK04bh7EfxDOfAxrDvSJY1DeJV 9T/vPTgADpGZ6WJgfTdid3pSpet0GRtMzXQTk8ZPJvRCdfN6BTqCgfoMyOB4lpQY oCNM8o44cOG56gTaLx+QYuBY/xLRgYMes3tQUWnSsnVKTZ7H/9v52sCnlz/6GHYA 2DNZfwmcFIQs7pIIerVBeLyMCUD2lt+zjqUr4+ud+WUwZte/L970+36+iM/LLeZm Ki2MHeGIbn9WHMGkouyFr6LDaL1lb2VNxVgcwhWgWU1Pa1kqXP4= =qclR -----END PGP SIGNATURE-----