Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted nodejs 20.19.2+dfsg-1+deb13u2 (source) into stable-security
Date: Sun, 29 Mar 2026 13:11:29 +0000
Signed by: Jérémy Lal <kapouer@melix.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 24 Mar 2026 22:11:25 +0100
Source: nodejs
Architecture: source
Version: 20.19.2+dfsg-1+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>
Changed-By: Jérémy Lal <kapouer@melix.org>
Changes:
 nodejs (20.19.2+dfsg-1+deb13u2) trixie-security; urgency=medium
 .
   * Upstream security patches:
     + CVE-2026-21713: use timing-safe comparison in Web Cryptography HMAC
     + CVE-2026-21717: fix array index hash collision
     + CVE-2026-21710: http: use null prototype for headersDistinct/trailersDistinct
     + CVE-2026-21716: include permission check on lib/fs/promises
     + CVE-2026-21715: add permission check to realpath.native
     + CVE-2026-21714: handle NGHTTP2_ERR_FLOW_CONTROL error code
     + CVE-2026-21637: tls wrap SNICallback invocation in try/catch
   * copyright: add rapidhash from sec/51 patch
Checksums-Sha1:
 42b79ca5ce3cd95f113ca6b9e5e3f2af26f39a71 4410 nodejs_20.19.2+dfsg-1+deb13u2.dsc
 b4cfc4f31a57aa141ac6f4acf12fd1f2bce56b76 203392 nodejs_20.19.2+dfsg-1+deb13u2.debian.tar.xz
 a0b5cc839ec45059d5e9b71173b33a18d2714580 11320 nodejs_20.19.2+dfsg-1+deb13u2_source.buildinfo
Checksums-Sha256:
 a3bff34eff175567f923f5936e03c06c416841d92a0597aed13a58e48ccb5ae7 4410 nodejs_20.19.2+dfsg-1+deb13u2.dsc
 a13e879865bd61c698ad6fdeeb4b18bef46c7a6f6ce5921c70a0f97eb05e266c 203392 nodejs_20.19.2+dfsg-1+deb13u2.debian.tar.xz
 a1ff2c53433caec2b5730b625f6acdd2c8c5dddd37123fa417b60c9da91778ab 11320 nodejs_20.19.2+dfsg-1+deb13u2_source.buildinfo
Files:
 2f6ccb9f92e4f6536fb199b0670bc1e3 4410 javascript optional nodejs_20.19.2+dfsg-1+deb13u2.dsc
 1ba8a615a4a881221e9e8d136189d381 203392 javascript optional nodejs_20.19.2+dfsg-1+deb13u2.debian.tar.xz
 bedb9359429bfb0438ebc983d8c37d39 11320 javascript optional nodejs_20.19.2+dfsg-1+deb13u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmnC/hoSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0YVsP/13zZxUHjpA4KzzDrfeLq4Dg7N3v/BZB
2BhujHhg77HJFelvSuG9jJp9Hs2d7UsxxfRn+0+eQ0rzSaY/rMWUr+247myYFSVX
jmGbGj7nFbO5sLLqDY+d/wTlqU97SV4nMNQGN6/Fdk9KMVuPwIJrU6/bpwMFqEg/
RKO2rTMa/wb8KFak5GylBPYbmRcBOf08loa+MzBxu9q2t/+8DUyiPHQ9w8wmRMsG
bgKhcNjzh/+p0sXe0Iz2OOwdLAc4tp64eNFKgPKHNJeN5PzhkTn+ObpTSO9OkJ/m
UU1TU4h1YImnQGHw6/pRVedwvkWvPWqshV5QarU8I2K2X8GHFieVUoLr2XWPWsxD
nnDhA4xAF9gZmzWi/JjaCb+esbN2mg7mOjRdA8hbtVuV0XLqQsQNQFyxp0THfAHC
s1R85nIT2YgaNkh/C/OtsUfWR+WvyQHdwujE4ETMpCocRVbE2zOJ05buaeLOkifL
YYVsYeO1uOzyLbivPU3dHcRbFn6jcPoqSMRcLkjJonE6b8mqGJ/wVIvWUhoBRIDg
e4MOCLNwzTWG+2TViegtvEfCDpM1WRFhbORYXcYp8zdOJpg3Flo62otuRKlGq4c0
6V1g4VBsiATUvPcFBY7gHxflLN9SZN8BFtMcBM5O3uBfigfwyRm3Sj1aFVBqRwVC
babfPpAb+n/N
=y8mX
-----END PGP SIGNATURE-----
News for package nodejs
