-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 28 Mar 2026 23:52:25 +0100
Source: nodejs
Architecture: source
Version: 24.14.1+dfsg+~cs24.12.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>
Changed-By: Jérémy Lal <kapouer@melix.org>
Changes:
nodejs (24.14.1+dfsg+~cs24.12.0-1) experimental; urgency=medium
.
* New upstream version 24.14.1+dfsg+~cs24.12.0
* Security fixes:
+ CVE-2026-21637: wrap SNICallback invocation in
try/catch (Matteo Collina) - High
+ CVE-2026-21710: use null prototype for
headersDistinct/trailersDistinct (Matteo Collina) - High
+ CVE-2026-21712: handle url crash on different url formats
(RafaelGSS) - Medium
+ CVE-2026-21713: use timing-safe comparison
in Web Cryptography HMAC (Filip Skokan) - Medium
+ CVE-2026-21714: handle NGHTTP2_ERR_FLOW_CONTROL
error code (RafaelGSS) - Medium
+ CVE-2026-21717: test array index hash collision (Joyee Cheung) - Medium
+ CVE-2026-21715: add permission check to realpath.native (RafaelGSS) - Low
+ CVE-2026-21716: include permission check on lib/fs/promises (RafaelGSS) - Low
* copyright: add rapidhash
* patch: upstream fix for test-buffer-concat.js
Checksums-Sha1:
be6870ed40c2cf7b0ded62806896da606ca97ecc 4483 nodejs_24.14.1+dfsg+~cs24.12.0-1.dsc
b3c5be0138449f52aef0560c15e9352f7e375b65 339640 nodejs_24.14.1+dfsg+~cs24.12.0.orig-types-node.tar.xz
b113f0fc5a6aa6951549c39a555e5a0b2b8ae296 24437436 nodejs_24.14.1+dfsg+~cs24.12.0.orig.tar.xz
83950cde651a743c665e349bf15174e832c0bb83 164644 nodejs_24.14.1+dfsg+~cs24.12.0-1.debian.tar.xz
b994cb5c49af933eaed09624e5dc80f68c9bcabd 11713 nodejs_24.14.1+dfsg+~cs24.12.0-1_source.buildinfo
Checksums-Sha256:
0c0411cea9d51f4b00296123ecf3d7597677e8f65766c35b576c026a6df9d3e4 4483 nodejs_24.14.1+dfsg+~cs24.12.0-1.dsc
e58dbf60e518c8279c1e36ad1e526031cd42e014bc6de7427b5c9c55333c67d2 339640 nodejs_24.14.1+dfsg+~cs24.12.0.orig-types-node.tar.xz
5a4c0d52d08b8dfd1a2c45ab252b1dfb111f06a62fa5b9984709c9111e338ec4 24437436 nodejs_24.14.1+dfsg+~cs24.12.0.orig.tar.xz
3ecfd1d73e098d26bf4c02fcfea7c6eea699e2bb1735acee83404d1dcd8de76b 164644 nodejs_24.14.1+dfsg+~cs24.12.0-1.debian.tar.xz
5bd51ca4da627006db382a9af29d1ea403cb49aa7639d3d17d71c1a1d09cc5d9 11713 nodejs_24.14.1+dfsg+~cs24.12.0-1_source.buildinfo
Files:
8cc7f9f7daa2658f869f80dd48a13465 4483 javascript optional nodejs_24.14.1+dfsg+~cs24.12.0-1.dsc
d4181afbb52872769d36c1748f6645e7 339640 javascript optional nodejs_24.14.1+dfsg+~cs24.12.0.orig-types-node.tar.xz
bb7773afb6c3f33f6353b21c89692675 24437436 javascript optional nodejs_24.14.1+dfsg+~cs24.12.0.orig.tar.xz
30f02aebfe9041a8747de67d012a63fb 164644 javascript optional nodejs_24.14.1+dfsg+~cs24.12.0-1.debian.tar.xz
9f15a4deeaa5bb02b15d17788a620822 11713 javascript optional nodejs_24.14.1+dfsg+~cs24.12.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmnIW9cSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0MucQALajFoD7+2VqHEhCQOMGEh/0OfMxhC+d
aHUOuoOmZ+Jw3DZCMDrVodSiD40PoPEmDRZEqWJUOQ7T9Zd/Ea2sigzc/WsFp0ZL
bb089LuDCCWIr4C7Sd9jxRU4oFpW6e2YOHRS3qGIlaybW4/JaKTmhUm3GjDb5ykV
6N8j60bDlcJttc6bGoZSaA5Y+T7mkiib2AtZ3s1UQMCYlLKBAxu90ra4Ti6dc+3F
GKy7ZoPUW9BtmJiy2WdJ5pSni+FtsDd14WqshDva8Jo3mlhHe3VDpZSVtTTlIBri
TI1Sxd+854hHCN8B8rG7zC6iN+m3y1jVqLXE4dfhLEIfssREzqa8Gg6K5t8QtEu/
YtpBJlPqU7DJtLA/d42pVWLcBp9f+MZeFOTOv0b+fg5yCUsklVvNVvIbtPCzS4a9
IJWIDYfjPH10rNdVgqNUoF1/FDzGnIqD122GMh8r5mDbm2wYOA6/I9EJpB6GYNZU
E3C0yhLTHnj+uvmvmS67R0h0RScCFMzATMVuYiTp/GXdg8Z0xr9cMNj927D4SgG1
suVcQjII2SNpcPixWxeB04pGHRpUKYkCzeqa8C4IjuIREZPozUVswq5O1BXTQ7wx
jfEycNUkgKyaacRYi6HWG0VRnIWtsNtgZvV8ISeQtN7pm0rvSIqZV5By9xFa4h0E
6OaKcfVopSm0
=kg8i
-----END PGP SIGNATURE-----
