-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 24 May 2026 00:00:42 +0200 Source: nodejs Architecture: source Version: 12.22.12~dfsg-1~deb11u8 Distribution: bullseye-security Urgency: high Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net> Changed-By: Bastien Roucariès <rouca@debian.org> Changes: nodejs (12.22.12~dfsg-1~deb11u8) bullseye-security; urgency=high . * Non maintainer upload by the LTS Team * Fix CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) `` * Fix CVE-2026-21637: TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue * Fix CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. Checksums-Sha1: 2c5fa63a9bcf34896da66e4388c335476d641bf3 3480 nodejs_12.22.12~dfsg-1~deb11u8.dsc 1fef218bb8d9f06059919565b50cc122dc10cebb 87112 nodejs_12.22.12~dfsg.orig-types-node.tar.xz 502cfe0a9691d3974ca79e9f82aa4eed6eb24380 19005908 nodejs_12.22.12~dfsg.orig.tar.xz 6fe6c45c7d3728604169ae1670181e08644ad71a 181632 nodejs_12.22.12~dfsg-1~deb11u8.debian.tar.xz ae5b36edac81b63d6fc6a5cf89427d76dcdfbb76 9558 nodejs_12.22.12~dfsg-1~deb11u8_source.buildinfo Checksums-Sha256: a68cbe4bb071eb210ff36f5aa262155389a0b1ada682152d17ae21d8475f4283 3480 nodejs_12.22.12~dfsg-1~deb11u8.dsc e640dd32d922eed23cd5dabf56600cfd335ea5ce3c756dc96024adebf94555f8 87112 nodejs_12.22.12~dfsg.orig-types-node.tar.xz 06f8eb29e52d5eb720c4ae2316b3c1b71efb12aa73bf27138f1cc776a7315aff 19005908 nodejs_12.22.12~dfsg.orig.tar.xz c14cdef0ec231abf89243b0f85ee5d77818c0e8b34f4dbff5588859cdf5d7faf 181632 nodejs_12.22.12~dfsg-1~deb11u8.debian.tar.xz 5eb993f3fd992599453973d9d62c239e02e72242f68b6d7a7ac0d8a9ce2bac6f 9558 nodejs_12.22.12~dfsg-1~deb11u8_source.buildinfo Files: f978e5ebf2d5aa1e74b2d6b35fc1ed50 3480 javascript optional nodejs_12.22.12~dfsg-1~deb11u8.dsc b3dc69de461763b2918b81ef426fe0ff 87112 javascript optional nodejs_12.22.12~dfsg.orig-types-node.tar.xz effb4e471c3cf4c7184d357a38985c56 19005908 javascript optional nodejs_12.22.12~dfsg.orig.tar.xz e6b237bf8aff44bf380d6e711e198ec2 181632 javascript optional nodejs_12.22.12~dfsg-1~deb11u8.debian.tar.xz 9df095352624a62cf6872bf480bac291 9558 javascript optional nodejs_12.22.12~dfsg-1~deb11u8_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmoSqy4ACgkQADoaLapB CF8UbxAApDfEuvJeCMNOwwCQEUbgJHelMIdWmo9CBdtE0GHt8pudQbZJBuUxsaBv 4+vKrDSwhdl51c/E3Ez9gwi7JU687hYR6rNj1VHCvuDFY93MgK6R8skFzjJTxYsc DsEiQ+CBN76fypn4TauOlVseX+COXrQ9btMjCjZGYfjNKZSOAWHAGKzvOpa1G2al eEXbrZg234geFnbLPL3cs2kre4Myu9WMuJvH74Wm0H8rBUzj8JostnzpTxWZxEBs t/eA7IZK7mopP6Oz72YsQjTZHQCJUTRAEao/NFL3JaUqKzu3SeJmkSQ3qz3VpAiL 5cypAqWUSc6bF5XtZjPQbN9/jfdvDRePtX4NITQc7XZPPaJ+WCBOSx2vxvKbH9xS zfnN0LKO3lVA7Oq13K3g2/5bSQZWBtkXM5roJGOWxLq9toffw79YsH5iNeFef8Hp eB4Ss2cJLI1AXj3UZBGjwbothPfmWeoFIqQkCLTiJpTbyh1ZC2kbc0YB0mjj/JjF 07eq1F3BXQIbx0s5/zrgiq93WEsSHzW2i+9jw17xzvtTwpncc/b6I+ZBB00vmytK vD7BDDSY2CQg45nULMQdIA3gjcer3/hB4zyJYR1gf+XX/UvtOwWV0AM9JP1O2x6n ztxAGUMmzm3c5ojHNaH9Drbnjv1ddbMTSYweEovglUniK3+gnvc= =e2gQ -----END PGP SIGNATURE-----
