-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Mar 2026 11:05:11 +0100
Source: nodejs
Binary: libnode-dev libnode115 libnode115-dbgsym nodejs nodejs-dbgsym
Architecture: armel
Version: 20.19.2+dfsg-1+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: arm Build Daemon (arm-conova-03) <buildd_arm64-arm-conova-03@buildd.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description:
 libnode-dev - evented I/O for V8 javascript (development files)
 libnode115 - evented I/O for V8 javascript - runtime library
 nodejs     - evented I/O for V8 javascript - runtime executable
Changes:
 nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium
 .
   * Upstream security patches:
     + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY
     + CVE-2026-21637: TLS error handling allows remote attackers to
       crash or exhaust resources of a TLS server when `pskCallback`
       or `ALPNCallback` are in use.
     + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized
       invalid `HPACK` data can cause a crash.
     + CVE-2025-55132: permission model allows a file's access and
       modification timestamps to be changed via `futimes()` even when
       the process has only read permissions.
     + CVE-2025-55130: permissions model allows attackers to bypass
       `--allow-fs-read` and `--allow-fs-write` restrictions using
       crafted relative symlink paths.
     + CVE-2025-59466: "Maximum call stack size exceeded" errors become
       uncatchable when `async_hooks.createHook()` is enabled.
     + CVE-2025-55131: buffer allocation logic can expose uninitialized
       memory when allocations are interrupted, when using the `vm` module
       with the timeout option.
   * Upstream critical fixes (see sec/NN patches)
     + zlib: fix pointer alignment (10)
     + os: fix GetInterfaceAddresses memory leak (15)
     + src: fix possible dereference of null pointers (17, 29)
     + v8: fix missing callback in heap utils destroy (19)
     + v8: loong64 - avoid memory access under stack pointer (27)
     + http2: do not crash on mismatched ping buffer length (28)
     + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44)
Checksums-Sha1:
 d1d6f9ddcd7386ac78adf3814c73c5b4e40cb6dc 536260 libnode-dev_20.19.2+dfsg-1+deb13u1_armel.deb
 e91fe40fa6e3a30d1749a0ef8b95ea713b17ae89 39055332 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_armel.deb
 466cb344cb0fa5e1af7abe0345a4f0dd3fc39e10 10178768 libnode115_20.19.2+dfsg-1+deb13u1_armel.deb
 88f32e90d6c5d46245aea5bb2f20da74aaf0e30f 3264 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_armel.deb
 34f9002f63f279e22371fe05e7f23e47b38c56bd 10817 nodejs_20.19.2+dfsg-1+deb13u1_armel-buildd.buildinfo
 0d7264957bb9c38d9f4ddc83764fb850850c3a86 352944 nodejs_20.19.2+dfsg-1+deb13u1_armel.deb
Checksums-Sha256:
 deba25c957ff615ed7caed57718b1b046f9b5b5ad49121e528c5515d1508ff2a 536260 libnode-dev_20.19.2+dfsg-1+deb13u1_armel.deb
 96302bd7af38ffddeec68c88bfd71c888ac23bb4c45a0d16a5b47082d7769328 39055332 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_armel.deb
 94523aebed03686bec5307c0d5fa4dd1e5efde3ea139b85567606846a87e39d0 10178768 libnode115_20.19.2+dfsg-1+deb13u1_armel.deb
 964ab413f378dde169c7e7a1b01c6695f760f0c86dc544528b5247a1c0f7a99f 3264 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_armel.deb
 5dbbfe06fe35ed5132893ac4b3d09201dbcca394cae2f1ef6ea694e5c311ff6b 10817 nodejs_20.19.2+dfsg-1+deb13u1_armel-buildd.buildinfo
 2d818bb29999296f814f56e9aaebe995de70a59c7c2b75e3911c3e7ca1bfbbff 352944 nodejs_20.19.2+dfsg-1+deb13u1_armel.deb
Files:
 2ea119fc569af9b44d67e149b6568257 536260 libdevel optional libnode-dev_20.19.2+dfsg-1+deb13u1_armel.deb
 156fe2a01215881256eab65ce2c002ca 39055332 debug optional libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_armel.deb
 31a224f5459271e5a67fc81fbc05328f 10178768 libs optional libnode115_20.19.2+dfsg-1+deb13u1_armel.deb
 fc31528462f92c0abe5698940829474a 3264 debug optional nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_armel.deb
 23c11c7d3579be0423374a271dcfe2c6 10817 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_armel-buildd.buildinfo
 5613c9a3241ac9ddd2ad27f8db405a71 352944 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_armel.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEElFiH1oZRZh1t4FSiXVp1sEH/1mIFAmm01sMACgkQXVp1sEH/
1mL0Dw/+P+vsOK8jt0+3fBG0LzSa7PdMONvqJugzs8IUIATqW6wkQu2wLzDbFCAi
RTo6WQNnG3e/CToWd/uSjEN1Xd00Nnpl7h75Mh/FwX+8lGHczFHXSJ1KPUNZV/t9
tVpkhNowqrnfpgMpxe+5V+vR7Xxfy4TqMadGsuRMDa88NCaEZnLVc5Rg1mvAqXPv
NbsX0dYIQ++ncCDosAyoSlVOg1SCEzM3kmlUrJBppqqbnelNKq+0uR4Sc4a7gXt8
oOSaVS4//w531y0hs70Xtt/V1tf7h7NBRfhRQm9wzth4ysIiSat5tLwkaCwiea1E
nUcaeX0L8InyVMthzZZc7VYy+Hja3AiSdV0AhtVz4uELmlfqvB+u7m3supSsgK3l
KpQLgCP+l2DBVD5Dsx2owiS8nvtoSj3FFNMnYOSfKdGwaakOXOi1ZfTR1+WvdzFQ
71agaujQ6BOTwPEMwCDlq73ujGx7oSyrNTNNIIaGFxjwMVqqS4L1nPF8Gc2qq7CP
9wrffMGL2Jipw2RZJndW7/AKssc5rjD8TB25kucDa0m1cIukfNX3N7P20Qiut+/N
BIV/KMjyMuYtuz/j2cWbqEheyo3lh5Lseuw66p6YaT2QxdZ+/QXkvour5qNMNuXB
BRbnv5KlnfpEVxoNn4dtfGPBg5mcbnlwRdkxMxGTpRPLlaRCl3Y=
=8cvf
-----END PGP SIGNATURE-----