Debian Package Tracker
Register | Log in
Subscribe

nodejs

evented I/O for V8 javascript - runtime executable

Choose email to subscribe with

general
  • source: nodejs (main)
  • version: 16.14.2+dfsg1-1
  • maintainer: Debian Javascript Maintainers (archive) (DMD)
  • uploaders: Jérémy Lal [DMD] – Jonas Smedegaard [DMD]
  • arch: all amd64 arm64 armhf i386 kfreebsd-amd64 kfreebsd-i386 mips mips64el mipsel powerpc ppc64 ppc64el s390x
  • std-ver: 4.6.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 4.8.2~dfsg-1
  • o-o-bpo: 8.11.1~dfsg-2~bpo9+1
  • oldstable: 10.24.0~dfsg-1~deb10u1
  • old-sec: 10.24.0~dfsg-1~deb10u1
  • stable: 12.22.5~dfsg-2~11u1
  • stable-sec: 12.22.5~dfsg-2~11u1
  • testing: 16.14.2+dfsg1-1
  • unstable: 16.14.2+dfsg1-1
versioned links
  • 4.8.2~dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 8.11.1~dfsg-2~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 10.24.0~dfsg-1~deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 12.22.5~dfsg-2~11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 16.14.2+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libnode-dev (1 bugs: 0, 1, 0, 0)
  • libnode93
  • nodejs (17 bugs: 1, 14, 2, 0)
  • nodejs-doc
action needed
Problems while searching for a new upstream version high
uscan had problems while searching for a new upstream version:
unknown ctype nodejs
Created: 2021-02-12 Last update: 2022-05-20 19:38
A new upstream version is available: 16.15.0 high
A new upstream version 16.15.0 is available, you should consider packaging it.
Created: 2022-05-02 Last update: 2022-05-20 19:38
8 security issues in buster high

There are 8 open security issues in buster.

8 important issues:
  • CVE-2021-22930: Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
  • CVE-2021-22939: If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
  • CVE-2021-22959: The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
  • CVE-2021-22960: The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
  • CVE-2021-44531: Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.
  • CVE-2021-44532: Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
  • CVE-2021-44533: Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.
  • CVE-2022-21824: Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
Created: 2021-07-29 Last update: 2022-05-13 04:35
6 security issues in bullseye high

There are 6 open security issues in bullseye.

6 important issues:
  • CVE-2021-22959: The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
  • CVE-2021-22960: The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
  • CVE-2021-44531: Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.
  • CVE-2021-44532: Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
  • CVE-2021-44533: Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.
  • CVE-2022-21824: Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
Created: 2021-10-12 Last update: 2022-05-13 04:35
lintian reports 2 errors and 70 warnings high
Lintian reports 2 errors and 70 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2021-09-06 Last update: 2022-01-01 04:34
2 bugs tagged patch in the BTS normal
The BTS contains patches fixing 2 bugs, consider including or untagging them.
Created: 2021-08-14 Last update: 2022-05-20 21:02
Fails to build during reproducibility testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2022-04-04 Last update: 2022-05-20 20:30
version in VCS is newer than in repository, is it time to upload? normal
vcswatch reports that this package seems to have a new changelog entry (version 16.15.0+dfsg-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:
commit d60975ae2a5150cd6f0ce908b3203ef280a433ad
Author: Jérémy Lal <kapouer@melix.org>
Date:   Mon May 16 11:26:59 2022 +0200

    Update changelog

commit 10aaff2564760490d5c5d7650819577aa68bbc94
Author: Jérémy Lal <kapouer@melix.org>
Date:   Mon May 16 11:24:47 2022 +0200

    Remove drop-undici.patch, replaced by build config

commit fdb75f54af001dc61dab1b8943955f2a77bd346f
Author: Jérémy Lal <kapouer@melix.org>
Date:   Mon May 16 11:23:56 2022 +0200

    undici: bundle it if available - as with acorn

commit 4b700e913ec58fa8c5a894d8743e6a0f23c8f02f
Author: Jérémy Lal <kapouer@melix.org>
Date:   Fri May 13 22:17:03 2022 +0200

    Update changelog

commit c8577ce20ee42a5c41537591112e733853aaf25f
Author: Jérémy Lal <kapouer@melix.org>
Date:   Fri May 13 22:12:59 2022 +0200

    bash-completion from node --completion-bash
    
    Thanks to Kevin Locke <kevin@kevinlocke.name>
    Closes: 977792

commit d1ff1b506f57117e9fb9bb32789cf5e26e87e9fc
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 19:49:45 2022 +0200

    Patch: drop-undici makes test-fetch fail

commit 5ef6e5f613204d1f00b5de62c7b5ad1eb908c574
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 17:48:20 2022 +0200

    Update changelog

commit 54c0799d24762f5a966d25603a608e4546d0cc80
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 15:47:00 2022 +0200

    Patch build/skip-crypto-engine-check no longer needed

commit dc4aa5c1580f8aac737de54dcaf85c07785e7189
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 15:46:52 2022 +0200

    Apply drop-undici.patch

commit 92fe9d5ef2306bde47ec580d98e6559d3a3366ab
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 15:46:26 2022 +0200

    Add patch to drop undici

commit 050248adb3110c828d21e6c3995dbed2de197d17
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 15:46:16 2022 +0200

    Refresh patches

commit 42fa045aea5aa10f4331c542afc3cd35884bf327
Merge: b5f00fe04 466c99fb6
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 15:33:53 2022 +0200

    Update upstream source from tag 'upstream/16.15.0+dfsg'
    
    Update to upstream version '16.15.0+dfsg'
    with Debian dir 698919ebd60b6275d1181815d9ccca013c1f13ca

commit 466c99fb6655e8c214cfa91870b33c1452196394
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 15:32:24 2022 +0200

    New upstream version 16.15.0+dfsg

commit b5f00fe04aa939b22c54d81e8c1c37c4c9170043
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 15:28:30 2022 +0200

    Drop 1 from repack suffix

commit f1cb759ea0432510614a93c21fc8da85ce860af6
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 15:27:58 2022 +0200

    Syntax

commit 988c40d343064abbb92f6bc6d32c29865b4ad14d
Author: Jérémy Lal <kapouer@melix.org>
Date:   Thu May 12 15:27:44 2022 +0200

    dfsg-exclude undici (missing source files)
Created: 2022-05-16 Last update: 2022-05-16 17:36
Build log checks report 2 warnings low
Build log checks report 2 warnings
Created: 2022-05-16 Last update: 2022-05-16 14:02
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).
Created: 2022-05-11 Last update: 2022-05-11 23:25
testing migrations
  • This package is part of the ongoing testing transition known as auto-openssl. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
news
[rss feed]
  • [2022-05-13] nodejs 16.14.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
  • [2022-05-11] Accepted nodejs 16.14.2+dfsg1-1 (source) into unstable (Jérémy Lal)
  • [2022-05-03] Accepted nodejs 16.14.2+dfsg-5 (source) into unstable (Jérémy Lal)
  • [2022-05-02] Accepted nodejs 16.14.2+dfsg-4 (source) into unstable (Jérémy Lal)
  • [2022-04-02] nodejs 16.13.2+really14.19.1~dfsg-6 MIGRATED to testing (Debian testing watch)
  • [2022-03-29] Accepted nodejs 16.14.2+dfsg-3 (source) into experimental (Jérémy Lal)
  • [2022-03-29] Accepted nodejs 16.14.2+dfsg-2 (source) into experimental (Jérémy Lal)
  • [2022-03-26] Accepted nodejs 16.13.2+really14.19.1~dfsg-6 (source) into unstable (Jérémy Lal)
  • [2022-03-25] Accepted nodejs 16.14.2+dfsg-1 (source ppc64el all) into experimental, experimental (Debian FTP Masters) (signed by: Jérémy Lal)
  • [2022-03-22] Accepted nodejs 16.13.2+really14.19.1~dfsg-5 (source) into unstable (Jérémy Lal)
  • [2022-03-22] Accepted nodejs 16.13.2+really14.19.1~dfsg-4 (source) into unstable (Jérémy Lal)
  • [2022-03-22] Accepted nodejs 16.13.2+really14.19.1~dfsg-3 (source) into unstable (Jérémy Lal)
  • [2022-03-21] Accepted nodejs 16.13.2+really14.19.1~dfsg-2 (source) into unstable (Jérémy Lal)
  • [2022-03-21] Accepted nodejs 16.13.2+really14.19.1~dfsg-1 (source) into experimental (Jérémy Lal)
  • [2022-03-17] nodejs 12.22.10~dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2022-03-14] Accepted nodejs 12.22.10~dfsg-2 (source) into unstable (Jérémy Lal)
  • [2022-03-14] Accepted nodejs 12.22.10~dfsg-1 (source) into unstable (Jérémy Lal)
  • [2022-03-01] Accepted nodejs 16.13.2+really14.19.0~dfsg-2 (source) into experimental (Jérémy Lal)
  • [2022-02-22] Accepted nodejs 16.13.2+really14.19.0~dfsg-1 (source ppc64el all) into experimental, experimental (Debian FTP Masters) (signed by: Jérémy Lal)
  • [2022-01-31] Accepted nodejs 16.13.2~dfsg-2 (source) into experimental (Jérémy Lal)
  • [2022-01-31] Accepted nodejs 16.13.2~dfsg-1 (source) into experimental (Jérémy Lal)
  • [2022-01-30] nodejs 12.22.9~dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2022-01-27] Accepted nodejs 12.22.9~dfsg-1 (source) into unstable (Jérémy Lal)
  • [2021-11-24] Accepted nodejs 16.13.0~dfsg-5 (source) into experimental (Jérémy Lal)
  • [2021-11-24] Accepted nodejs 16.13.0~dfsg-4 (source) into experimental (Jérémy Lal)
  • [2021-11-24] Accepted nodejs 16.13.0~dfsg-3 (source) into experimental (Jérémy Lal)
  • [2021-11-05] Accepted nodejs 16.13.0~dfsg-2 (source) into experimental (Jérémy Lal)
  • [2021-10-28] Accepted nodejs 16.13.0~dfsg-1 (source) into experimental (Jérémy Lal)
  • [2021-10-26] Accepted nodejs 16.11.1~dfsg-1 (source ppc64el all) into experimental, experimental (Debian FTP Masters) (signed by: Jérémy Lal)
  • [2021-10-21] nodejs 12.22.7~dfsg-2 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 23 24
  • RC: 1
  • I&N: 19 20
  • M&W: 2
  • F&P: 1
  • patch: 2
links
  • homepage
  • lintian (2, 70)
  • buildd: logs, checks, clang, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 12.22.9~dfsg-1ubuntu3
  • 33 bugs
  • patches for 12.22.9~dfsg-1ubuntu3

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing