-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 05 Mar 2026 11:05:11 +0100 Source: nodejs Architecture: source Version: 20.19.2+dfsg-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Jérémy Lal Changes: nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium . * Upstream security patches: + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY + CVE-2026-21637: TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized invalid `HPACK` data can cause a crash. + CVE-2025-55132: permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. + CVE-2025-55130: permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. + CVE-2025-59466: "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. + CVE-2025-55131: buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. * Upstream critical fixes (see sec/NN patches) + zlib: fix pointer alignment (10) + os: fix GetInterfaceAddresses memory leak (15) + src: fix possible dereference of null pointers (17, 29) + v8: fix missing callback in heap utils destroy (19) + v8: loong64 - avoid memory access under stack pointer (27) + http2: do not crash on mismatched ping buffer length (28) + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44) Checksums-Sha1: 173f7a3945002af57183a98372c1e9027a80fc76 4410 nodejs_20.19.2+dfsg-1+deb13u1.dsc 36d594cccc87915a298fccaa4f30843f6a7af2ec 274900 nodejs_20.19.2+dfsg.orig-ada.tar.xz c3753ad4a19367bb34d4b34d6f28276b8a139038 303700 nodejs_20.19.2+dfsg.orig-types-node.tar.xz 7ed7a340dc165334953d0a57eb4c2600e4d3081a 19886184 nodejs_20.19.2+dfsg.orig.tar.xz c7c5be5ffd2a3668472fc9eae2c9f04708df51e2 178152 nodejs_20.19.2+dfsg-1+deb13u1.debian.tar.xz a1907fd97a018b0566a65a3353e9462213cde8c7 11327 nodejs_20.19.2+dfsg-1+deb13u1_source.buildinfo Checksums-Sha256: 48a4aab9fecf84608e0abd7e70484055e340ec896082e24d0587efaf91ad200a 4410 nodejs_20.19.2+dfsg-1+deb13u1.dsc 26deff017c505b316f2498aaf293c896f4ab92b5349b367cf21fe14fa2cbd1e1 274900 nodejs_20.19.2+dfsg.orig-ada.tar.xz cacb4b47fe0ad9250294545a33e5097c50b0a86f7bd1862cd73f99385f69a174 303700 nodejs_20.19.2+dfsg.orig-types-node.tar.xz 5e5559381ad031d245a8efa403458abbb73755f74c3e6380f185a4dd342b7949 19886184 nodejs_20.19.2+dfsg.orig.tar.xz 975d6169596a32fbae855a5b6be5362474e0d5dd71010ab0a344412a23e2821b 178152 nodejs_20.19.2+dfsg-1+deb13u1.debian.tar.xz ec83f768dcd482dbf703e76e84722767c3929a43c201efcb6125324f2be87987 11327 nodejs_20.19.2+dfsg-1+deb13u1_source.buildinfo Files: 7c9d2fd7f6272ab2798864df6801d442 4410 javascript optional nodejs_20.19.2+dfsg-1+deb13u1.dsc fd9ff3be8b8b43905dd24c5af24aab16 274900 javascript optional nodejs_20.19.2+dfsg.orig-ada.tar.xz a1bc896abb59372639fc59c82e40a517 303700 javascript optional nodejs_20.19.2+dfsg.orig-types-node.tar.xz 8b4b3615193af364ccde831591e81402 19886184 javascript optional nodejs_20.19.2+dfsg.orig.tar.xz 7ffba92954ba2b163457ad252d48b44e 178152 javascript optional nodejs_20.19.2+dfsg-1+deb13u1.debian.tar.xz 30c470793ad31c3729ffb2db9a383468 11327 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmm0dIASHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0nCwP/jH3pdnZlmjWXRalX6Ms3KzGn8Lesll7 kCVEISG5GTT/GA+pJt9SO4SSi4HhFcyfXxFgxqhsGq0lzIHeMKJtR7O4x2slEQH7 TZ1BFX3YyaCBSe5oT2dQW58HJ5oVGyt/HSpvcn3wVMK3Txto4Br8ThwGVyk1eX1J JuK7znRKJfOq8j+TwF+OGzs2lgZX65oe9waD13yLp0d1sVCtUsnouN7tFFP0Xf3M lj4wQqS32LAIYTIVJaCkfSiT/+PHR+UK/5okhFDdoHHFivAgqj2JvZMM6gerfY5E X/swz1Y3c0wkKLa9IMHr+mYtv0G6jY7JrrJyxcHrP2nW2mB6VG/qCHUUSZzeGmQb PKVphYUYAeDJO462hbfgqJN0+fgfVotpZsvuuq46aGk3yFB4eo0quQwcAYWE8aGp QqNlW/se08Mwt67t3mOSMYCCVmiaNt6qoIuwHaXH/ls3j4cZA4iJFBBdlSDRp1Uw bQKsGcsFsSD3R9Fw9AZdUtyQ4KY98xOUP4KkZysiJNpD6NhSNtkqScgHpGe6Tavk irb3YBcUdUOppW+dupoEN5LIfbJquTS5mF+f/urELGDXi0xYY/DyeFtdFSl/jZ1w 1fqSpHaOIvKJmWo2yLrm79h5C7I/j/1OxcpoOSwvB2JR0x+KPzGUs+mCj6SoYDVo 6MzEfuAMKFNI =xLnT -----END PGP SIGNATURE-----