Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted nodejs 20.19.2+dfsg-1+deb13u1 (source) into proposed-updates
Date: Thu, 19 Mar 2026 11:03:11 +0000
Signed by: Jérémy Lal <kapouer@melix.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 05 Mar 2026 11:05:11 +0100
Source: nodejs
Architecture: source
Version: 20.19.2+dfsg-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>
Changed-By: Jérémy Lal <kapouer@melix.org>
Changes:
 nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium
 .
   * Upstream security patches:
     + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY
     + CVE-2026-21637: TLS error handling allows remote attackers to
       crash or exhaust resources of a TLS server when `pskCallback`
       or `ALPNCallback` are in use.
     + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized
       invalid `HPACK` data can cause a crash.
     + CVE-2025-55132: permission model allows a file's access and
       modification timestamps to be changed via `futimes()` even when
       the process has only read permissions.
     + CVE-2025-55130: permissions model allows attackers to bypass
       `--allow-fs-read` and `--allow-fs-write` restrictions using
       crafted relative symlink paths.
     + CVE-2025-59466: "Maximum call stack size exceeded" errors become
       uncatchable when `async_hooks.createHook()` is enabled.
     + CVE-2025-55131: buffer allocation logic can expose uninitialized
       memory when allocations are interrupted, when using the `vm` module
       with the timeout option.
   * Upstream critical fixes (see sec/NN patches)
     + zlib: fix pointer alignment (10)
     + os: fix GetInterfaceAddresses memory leak (15)
     + src: fix possible dereference of null pointers (17, 29)
     + v8: fix missing callback in heap utils destroy (19)
     + v8: loong64 - avoid memory access under stack pointer (27)
     + http2: do not crash on mismatched ping buffer length (28)
     + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44)
Checksums-Sha1:
 173f7a3945002af57183a98372c1e9027a80fc76 4410 nodejs_20.19.2+dfsg-1+deb13u1.dsc
 36d594cccc87915a298fccaa4f30843f6a7af2ec 274900 nodejs_20.19.2+dfsg.orig-ada.tar.xz
 c3753ad4a19367bb34d4b34d6f28276b8a139038 303700 nodejs_20.19.2+dfsg.orig-types-node.tar.xz
 7ed7a340dc165334953d0a57eb4c2600e4d3081a 19886184 nodejs_20.19.2+dfsg.orig.tar.xz
 c7c5be5ffd2a3668472fc9eae2c9f04708df51e2 178152 nodejs_20.19.2+dfsg-1+deb13u1.debian.tar.xz
 a1907fd97a018b0566a65a3353e9462213cde8c7 11327 nodejs_20.19.2+dfsg-1+deb13u1_source.buildinfo
Checksums-Sha256:
 48a4aab9fecf84608e0abd7e70484055e340ec896082e24d0587efaf91ad200a 4410 nodejs_20.19.2+dfsg-1+deb13u1.dsc
 26deff017c505b316f2498aaf293c896f4ab92b5349b367cf21fe14fa2cbd1e1 274900 nodejs_20.19.2+dfsg.orig-ada.tar.xz
 cacb4b47fe0ad9250294545a33e5097c50b0a86f7bd1862cd73f99385f69a174 303700 nodejs_20.19.2+dfsg.orig-types-node.tar.xz
 5e5559381ad031d245a8efa403458abbb73755f74c3e6380f185a4dd342b7949 19886184 nodejs_20.19.2+dfsg.orig.tar.xz
 975d6169596a32fbae855a5b6be5362474e0d5dd71010ab0a344412a23e2821b 178152 nodejs_20.19.2+dfsg-1+deb13u1.debian.tar.xz
 ec83f768dcd482dbf703e76e84722767c3929a43c201efcb6125324f2be87987 11327 nodejs_20.19.2+dfsg-1+deb13u1_source.buildinfo
Files:
 7c9d2fd7f6272ab2798864df6801d442 4410 javascript optional nodejs_20.19.2+dfsg-1+deb13u1.dsc
 fd9ff3be8b8b43905dd24c5af24aab16 274900 javascript optional nodejs_20.19.2+dfsg.orig-ada.tar.xz
 a1bc896abb59372639fc59c82e40a517 303700 javascript optional nodejs_20.19.2+dfsg.orig-types-node.tar.xz
 8b4b3615193af364ccde831591e81402 19886184 javascript optional nodejs_20.19.2+dfsg.orig.tar.xz
 7ffba92954ba2b163457ad252d48b44e 178152 javascript optional nodejs_20.19.2+dfsg-1+deb13u1.debian.tar.xz
 30c470793ad31c3729ffb2db9a383468 11327 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmm0dIASHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0nCwP/jH3pdnZlmjWXRalX6Ms3KzGn8Lesll7
kCVEISG5GTT/GA+pJt9SO4SSi4HhFcyfXxFgxqhsGq0lzIHeMKJtR7O4x2slEQH7
TZ1BFX3YyaCBSe5oT2dQW58HJ5oVGyt/HSpvcn3wVMK3Txto4Br8ThwGVyk1eX1J
JuK7znRKJfOq8j+TwF+OGzs2lgZX65oe9waD13yLp0d1sVCtUsnouN7tFFP0Xf3M
lj4wQqS32LAIYTIVJaCkfSiT/+PHR+UK/5okhFDdoHHFivAgqj2JvZMM6gerfY5E
X/swz1Y3c0wkKLa9IMHr+mYtv0G6jY7JrrJyxcHrP2nW2mB6VG/qCHUUSZzeGmQb
PKVphYUYAeDJO462hbfgqJN0+fgfVotpZsvuuq46aGk3yFB4eo0quQwcAYWE8aGp
QqNlW/se08Mwt67t3mOSMYCCVmiaNt6qoIuwHaXH/ls3j4cZA4iJFBBdlSDRp1Uw
bQKsGcsFsSD3R9Fw9AZdUtyQ4KY98xOUP4KkZysiJNpD6NhSNtkqScgHpGe6Tavk
irb3YBcUdUOppW+dupoEN5LIfbJquTS5mF+f/urELGDXi0xYY/DyeFtdFSl/jZ1w
1fqSpHaOIvKJmWo2yLrm79h5C7I/j/1OxcpoOSwvB2JR0x+KPzGUs+mCj6SoYDVo
6MzEfuAMKFNI
=xLnT
-----END PGP SIGNATURE-----
News for package nodejs
