-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 Mar 2026 11:05:11 +0100 Source: nodejs Binary: nodejs-doc Architecture: all Version: 20.19.2+dfsg-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Jérémy Lal Description: nodejs-doc - API documentation for Node.js, the javascript platform Changes: nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium . * Upstream security patches: + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY + CVE-2026-21637: TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized invalid `HPACK` data can cause a crash. + CVE-2025-55132: permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. + CVE-2025-55130: permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. + CVE-2025-59466: "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. + CVE-2025-55131: buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. * Upstream critical fixes (see sec/NN patches) + zlib: fix pointer alignment (10) + os: fix GetInterfaceAddresses memory leak (15) + src: fix possible dereference of null pointers (17, 29) + v8: fix missing callback in heap utils destroy (19) + v8: loong64 - avoid memory access under stack pointer (27) + http2: do not crash on mismatched ping buffer length (28) + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44) Checksums-Sha1: 72e7e221753a116253250d904fb2018c8d8fde5f 6083228 nodejs-doc_20.19.2+dfsg-1+deb13u1_all.deb b6cdcc364766f5707054715dc47c42c61f98cebc 9896 nodejs_20.19.2+dfsg-1+deb13u1_all-buildd.buildinfo Checksums-Sha256: 1989b33d2423c33e8a5efff6eed205e72c4d2b0f49ece4e601a3c157c7404db2 6083228 nodejs-doc_20.19.2+dfsg-1+deb13u1_all.deb ebb0617f83a296e40261058e967ec41d8b90fcf95d31302959d47e345d2ea5ae 9896 nodejs_20.19.2+dfsg-1+deb13u1_all-buildd.buildinfo Files: ef66cfc8d7c7a15d5814d51e54ca7de7 6083228 doc optional nodejs-doc_20.19.2+dfsg-1+deb13u1_all.deb 4136202dce1af5cbf5c3975006b82dac 9896 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_all-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE81O8NL+3kjBAqEvLmgPNRvTf/zcFAmm0d+sACgkQmgPNRvTf /zeRPRAAo+O64O8FeqvS5THZI9uuWmQXYSr/km5ZK3MbY1PsUwApvquLTgNxHt5e cLAQPTBEo6jIRYLL5zySHul0tTtt15QLfyaM4t8KDx8lZH69IvPfTlToTidpoM+M VgGgC5XXEXBLUyMJ5ZP0egXNMzuPuKdn34UIc884lq5ecLb0Ot5MBOVHjykbKIdh Z9UBXkRwMOSq4K0jmetcacEmuCMe8GbwUQF5z9JjT5IPep0tw60lje3AN0HhAphm BNOzEj67Ks1Qp7UgPMvqmosr3NQreWOSDwUUDWA8Hl8v/kMNKTynrW9o6GoOHXdc 4skcxoSbiwfxkzq/UrtcvUKyRQ0xAid36VjvSSv2b1Rc12Z+2VimI8vHN83fKPzy a/sRSVYPqKhM/sJD6fFRhEhafwXPwrd3uF9xEkO5Ik6dpWChgZbNLWJ+rG3jsu4+ dqvQYupkoYMqnr+ofjr4V0OLFY+v5fD4MUWxWngL7LC8GMFgSMS3cpDcBj1oX5rE QNO/OXXqjrp70VjY41tS3V2DWAUxkvg8b+DJlbkaVmYTd0vseyjtxMnTsughaboa ERuaEI/qymntpajtF0CpiZsFQ1oYNWH8WI2h76sXDfAvIzHvs1QAO9zQk0JUHVHR YsI0SwJZBxPfrpwuJcG6yUf3rjaWrsULhLHVzXt7AQoMpbXHftY= =jmfi -----END PGP SIGNATURE-----