-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 20 Dec 2023 18:07:36 +0100 Source: nodejs Binary: libnode-dev libnode108 nodejs nodejs-doc Architecture: source amd64 all Version: 18.19.0+dfsg-6~deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net> Changed-By: Jérémy Lal <kapouer@melix.org> Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable nodejs-doc - API documentation for Node.js, the javascript platform Closes: 1031834 1039990 1050739 1054892 Changes: nodejs (18.19.0+dfsg-6~deb12u1) bookworm-security; urgency=medium . * Upstream update. * CVE-2023-23918: Permissions policies can be bypassed via process.mainModule. Closes #1031834. * CVE-2023-23919: OpenSSL error handling issues in nodejs crypto library. Closes: #1031834. * CVE-2023-23920: Insecure loading of ICU data through ICU_DATA environment variable. Closes: #1031834. * CVE-2023-30590: DiffieHellman do not generate keys after setting a private key. Closes: #1039990. * CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR. Closes: #1039990. * CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates. Closes: #1039990. * CVE-2023-32559: Permissions policies can be bypassed via process.binding. Closes: #1050739. * CVE-2023-30581: mainModule.proto bypass experimental policy mechanism. Closes: #1039990. * CVE-2023-32002: Permissions policies can be bypassed via Module._load. Closes: #1050739. * CVE-2023-32006: Permissions policies can impersonate other modules in using module.constructor.createRequire(). Closes: #1050739. * CVE-2023-38552: Integrity checks according to policies can be circumvented. Closes: #1054892. * CVE-2023-39333: Code injection via WebAssembly export names. Closes: #1054892. Checksums-Sha1: 5c9ba67d633821d2099506acc6d5db43ee3d5ee5 4359 nodejs_18.19.0+dfsg-6~deb12u1.dsc 2540b9b84f230689afcbf507a307d46d4ef2a411 269724 nodejs_18.19.0+dfsg.orig-ada.tar.xz 4cad22f4545483163b468271d06f425b15f1dcf0 267236 nodejs_18.19.0+dfsg.orig-types-node.tar.xz c13643047f17105984c02bdd123c4d39beda156b 28794768 nodejs_18.19.0+dfsg.orig.tar.xz eea9120dfa45899f40e62516895f69587c24e16f 166408 nodejs_18.19.0+dfsg-6~deb12u1.debian.tar.xz c4e6203abd1c8757d1928dbd4a5e337439eb99f9 503364 libnode-dev_18.19.0+dfsg-6~deb12u1_amd64.deb 17c87755aea49527dc180260184ae75a89fa8080 10548072 libnode108_18.19.0+dfsg-6~deb12u1_amd64.deb a0813bea42eeead268ec77db4ad66c167572c27b 3569432 nodejs-doc_18.19.0+dfsg-6~deb12u1_all.deb cc1906898782233c5c1ff5010582a1c847ad4dc8 10936 nodejs_18.19.0+dfsg-6~deb12u1_amd64.buildinfo 62456a9ac9af80aaa8ecf0ca85f93849363e2296 318736 nodejs_18.19.0+dfsg-6~deb12u1_amd64.deb Checksums-Sha256: 78bf3883bd7bea2c6495020d9a183769ea33b5d0b32b6babf2550d076b8ffca7 4359 nodejs_18.19.0+dfsg-6~deb12u1.dsc 0c3caa8771a2bc6ac5d32912d07383dcae8a0cf145ed6f7017cbf6b41478acd2 269724 nodejs_18.19.0+dfsg.orig-ada.tar.xz 5bd8293f0adfb7bc744e3071bdbd184fd02f973931396ba816ff61514ecd62a9 267236 nodejs_18.19.0+dfsg.orig-types-node.tar.xz 3bbb4c7e3196be83085b181de90def38b96a5f0d2999d86f00658bc2aa692705 28794768 nodejs_18.19.0+dfsg.orig.tar.xz 54a8fe0757f3a692869667f406727fa46411f15a42da22e8bda43d4ec72b4940 166408 nodejs_18.19.0+dfsg-6~deb12u1.debian.tar.xz da7a5b8ecb2413f7d2e6ce0a81abd628bc3f5ac116faacb91c8ac248c53a9d9b 503364 libnode-dev_18.19.0+dfsg-6~deb12u1_amd64.deb 164ab232abf375eddbbafdaa953306ae0348bcdeba33ac439e2024008e67ff8e 10548072 libnode108_18.19.0+dfsg-6~deb12u1_amd64.deb 3e29ef4c58025c8b931d402a8cabfcbd03cac8b817d9321229e9987258c86ded 3569432 nodejs-doc_18.19.0+dfsg-6~deb12u1_all.deb c08b75165134f54093fc886ff20398068ddaab2c28e487dd146ea102e5c839b7 10936 nodejs_18.19.0+dfsg-6~deb12u1_amd64.buildinfo 81dd77001ae1d4019e06bece8a0f6b8a22e97580d13528196f8a89b400cf82c2 318736 nodejs_18.19.0+dfsg-6~deb12u1_amd64.deb Files: 8c6544194de9d7c1eae4a2d1513c9cb2 4359 javascript optional nodejs_18.19.0+dfsg-6~deb12u1.dsc 327a080764e93ab10a593efba5b84fd3 269724 javascript optional nodejs_18.19.0+dfsg.orig-ada.tar.xz 8cabd2aa436c05f698a17368826a8645 267236 javascript optional nodejs_18.19.0+dfsg.orig-types-node.tar.xz 945588714462db1adddad53ebee66b3b 28794768 javascript optional nodejs_18.19.0+dfsg.orig.tar.xz 585e641a77a377147e363aea9ffeedde 166408 javascript optional nodejs_18.19.0+dfsg-6~deb12u1.debian.tar.xz 05bf88f0e7e2ac1a30e86b8ce00dda21 503364 libdevel optional libnode-dev_18.19.0+dfsg-6~deb12u1_amd64.deb d6eb05097fa3de0e6f3de1400a5024e6 10548072 libs optional libnode108_18.19.0+dfsg-6~deb12u1_amd64.deb 4aa5b543721a9d2e3e4ac0df7a0cd4d1 3569432 doc optional nodejs-doc_18.19.0+dfsg-6~deb12u1_all.deb d54db5ff4b251e5e3738a6726cb3bc9f 10936 javascript optional nodejs_18.19.0+dfsg-6~deb12u1_amd64.buildinfo d04a8dc597869b7672801fccb2ed6cb2 318736 javascript optional nodejs_18.19.0+dfsg-6~deb12u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmWF5voSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0f6cP/0pLuQvD+qgRRilI3e8hw+cPuQSxR6QN j1UnGoqZQuIS9jOJzhFjwHpo5BAN/sfi8LmBtm1NyH573Q47iIGM3XQGsYm5FccV dZCDWP3g8tIrfh4d/jQSESdKSUudrxA/c1c9H4cF58g9DAkHTFQzUUkf7Sd2s+Nz o/Tq+k9H1+Ax4BpTZwqLP1SBycrALVeOVGIsEwlwsDkpaBbxdsW4FuR9zL+374jh LwriUJ0QYTvy5ZFK4XOw6sYEFrFpma6izuS0vSkLQ5K0mOL8LCDB1OmN6NGxFRfE vlOiDgnxBZwF00LW4VEe7E6MGSIwItmk8T36BdYqSzVkq25As+SQ5Sev8pb6DjWE PWSt5/1OG/qvQznrXrIIvUuu4rR+35zC6RednVKIfKuOMjBUQrG+UP/AFmq6lcND hUps5rDLdAy8mtZfBwng8vOoN6dzDsaWyESTGMjXpq0mzuxmDDOjeM46d7Hyqhfp esz1sJqt+x84C6Mdjq97Rz0WY+LubEHxmcKDHZQK8IiHoik9XBGHSgAGFVzHyEiq u52bZ47yzlVf1pR5pZZk0EDEEb8JrKjynyxTSkoZ2a7aB6mGSqAd6tV2xkGgFjY4 1ZAwtOOz/puR6SuxHUfG4fNgJUsFv0CE8OSk20pIuJ+WIPgA+RB/V25DP3Hbpxqx Bz7lyJctliRV =LB3Q -----END PGP SIGNATURE-----