-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Mar 2026 11:05:11 +0100
Source: nodejs
Binary: libnode-dev libnode115 libnode115-dbgsym nodejs nodejs-dbgsym
Architecture: arm64
Version: 20.19.2+dfsg-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: arm Build Daemon (arm-ubc-01) <buildd_arm64-arm-ubc-01@buildd.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description:
 libnode-dev - evented I/O for V8 javascript (development files)
 libnode115 - evented I/O for V8 javascript - runtime library
 nodejs     - evented I/O for V8 javascript - runtime executable
Changes:
 nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium
 .
   * Upstream security patches:
     + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY
     + CVE-2026-21637: TLS error handling allows remote attackers to
       crash or exhaust resources of a TLS server when `pskCallback`
       or `ALPNCallback` are in use.
     + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized
       invalid `HPACK` data can cause a crash.
     + CVE-2025-55132: permission model allows a file's access and
       modification timestamps to be changed via `futimes()` even when
       the process has only read permissions.
     + CVE-2025-55130: permissions model allows attackers to bypass
       `--allow-fs-read` and `--allow-fs-write` restrictions using
       crafted relative symlink paths.
     + CVE-2025-59466: "Maximum call stack size exceeded" errors become
       uncatchable when `async_hooks.createHook()` is enabled.
     + CVE-2025-55131: buffer allocation logic can expose uninitialized
       memory when allocations are interrupted, when using the `vm` module
       with the timeout option.
   * Upstream critical fixes (see sec/NN patches)
     + zlib: fix pointer alignment (10)
     + os: fix GetInterfaceAddresses memory leak (15)
     + src: fix possible dereference of null pointers (17, 29)
     + v8: fix missing callback in heap utils destroy (19)
     + v8: loong64 - avoid memory access under stack pointer (27)
     + http2: do not crash on mismatched ping buffer length (28)
     + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44)
Checksums-Sha1:
 123631badda21e6fd6326a6fe6d9552f9230dafe 536288 libnode-dev_20.19.2+dfsg-1+deb13u1_arm64.deb
 96846fe3ff344eef0e105ad6a29b06d16f3253dd 1050394488 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_arm64.deb
 35cec774e01a0fc274beb4691e824ae1a916c4a4 10888264 libnode115_20.19.2+dfsg-1+deb13u1_arm64.deb
 db85748252c55573dd52c5fe2c1e52bc98df11aa 82688 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_arm64.deb
 d64f89c1884c74c9ff2444e7880563c25b1eb383 10893 nodejs_20.19.2+dfsg-1+deb13u1_arm64-buildd.buildinfo
 a67594e1ad76090a06260f666fcf74e11870bbae 352980 nodejs_20.19.2+dfsg-1+deb13u1_arm64.deb
Checksums-Sha256:
 47ff32a367c3f3c863be16952a0435e5987525ba0bb9e17b646fb0c3307159d6 536288 libnode-dev_20.19.2+dfsg-1+deb13u1_arm64.deb
 efae5e62ae9d64ab45e3dff37387e537cddcf13de0253a8f60807280f55dfb23 1050394488 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_arm64.deb
 cb57fd7d926f6c8d541d810e5c2e48e1def3769626ba87e5cce0c549dbe81c2f 10888264 libnode115_20.19.2+dfsg-1+deb13u1_arm64.deb
 bd213f45db7eab6950833f43d42c9ae422d5c08ced0233590b6179de74fddc23 82688 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_arm64.deb
 95ea70aca05570db2b6b19349a25c37d7c835da7acaf2062f412102502cdbbe9 10893 nodejs_20.19.2+dfsg-1+deb13u1_arm64-buildd.buildinfo
 50e5195afa3b0bbb7a00b58382e12156b384cabc397ae4e2ff12a07fe3177bd9 352980 nodejs_20.19.2+dfsg-1+deb13u1_arm64.deb
Files:
 ce300cc04166593771475ff61ee54dd5 536288 libdevel optional libnode-dev_20.19.2+dfsg-1+deb13u1_arm64.deb
 1723a5be6d73010f9d3cb759d041aa9f 1050394488 debug optional libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_arm64.deb
 61153a94f0ce48b4c1a26c2451605362 10888264 libs optional libnode115_20.19.2+dfsg-1+deb13u1_arm64.deb
 21fe9c1e65ec1cbf0ac67c713844aff7 82688 debug optional nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_arm64.deb
 50a108ec90833593798408153a11ee71 10893 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_arm64-buildd.buildinfo
 109aa24b86591dc61dc7e9bb34542c28 352980 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_arm64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEq41qkgEcGaML+/CnCr/D/stJkDwFAmm0iecACgkQCr/D/stJ
kDwduw//ZXvZAb58IWvbIB7OUGhsZdPTZHuFeYhtqWADduYmAaCT2bm8PZk4TXbE
AWLtAtacUyC/rJPr2kIOM5QZMFBf/Qr04IDlInf0GGBsNhrwq5Y9gdp8thEXblw9
RG8QOOCVBI9ejmNQ+VwcOM/gt4ArX+q+ElRHg17Qb/UtExZ8CWNdDKqIpEE25Q4P
ezqahiHEJ9hBFadcT6fZZ7oTmCL1NUEtUT3Z+Q58/fYva1/N7YYEC+KAgWwHzyfU
PAIMgtAo9B3HdqmnULRUzwPRdrLxQ8BjjxaJ3Ryo4npikQI63Nasm3W01bt+ILzg
aCFOyirAgQCfbt715sBG/jpr3PtHF/oyKG9egVHsgygSQXTwR9ZNYL2R3CrHbHYW
35gKZDvQg5TpxTIf3zyLiXDZmzBdNavgWkDxrCeldbNoC9nNbh2iV3+bQvhw0rC9
uZx+ayrEAaOZ/JQJuhUJe3xj49XxOU5W4kAhqpGL12ld+CTuSddT8cOuSKTesdpW
MKd9rOPGgFGnkeAn9W+aWw+zm7BuX6JFfJVnl6y/aaUnwTFiTGwyKmpM8vJZ2c1j
K2NS13ndZ/bnOYBc0B+tmk+HJyXCWBmQKQXdOk6PMeNM7z+bkWib1gJIzuh2cawc
q2sTZUIOJREqjAgIrg7WaPNKN1JWdO38sq65wyC0LIsd1oRIFFA=
=bAFl
-----END PGP SIGNATURE-----