-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 Mar 2026 11:05:11 +0100 Source: nodejs Binary: libnode-dev libnode115 libnode115-dbgsym nodejs nodejs-dbgsym Architecture: ppc64el Version: 20.19.2+dfsg-1+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-osuosl-02) Changed-By: Jérémy Lal Description: libnode-dev - evented I/O for V8 javascript (development files) libnode115 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Changes: nodejs (20.19.2+dfsg-1+deb13u1) trixie-security; urgency=medium . * Upstream security patches: + CVE-2025-23085: follow-up fix wrong check for NGHTTP2_GOAWAY + CVE-2026-21637: TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. + CVE-2025-59465: malformed `HTTP/2 HEADERS` frame with oversized invalid `HPACK` data can cause a crash. + CVE-2025-55132: permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. + CVE-2025-55130: permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. + CVE-2025-59466: "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. + CVE-2025-55131: buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. * Upstream critical fixes (see sec/NN patches) + zlib: fix pointer alignment (10) + os: fix GetInterfaceAddresses memory leak (15) + src: fix possible dereference of null pointers (17, 29) + v8: fix missing callback in heap utils destroy (19) + v8: loong64 - avoid memory access under stack pointer (27) + http2: do not crash on mismatched ping buffer length (28) + v8: riscv64 - Fix sp handling in MacroAssembler::LeaveFrame (44) Checksums-Sha1: 63eb1dab251ac57f61aa2f77012a75527dd0f152 536284 libnode-dev_20.19.2+dfsg-1+deb13u1_ppc64el.deb f4d7f87685bb907818304faf1e91ca40e7696e89 1037172744 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_ppc64el.deb 3ab91647d845388ce0a71e12594fd55ada2cc9fa 12311404 libnode115_20.19.2+dfsg-1+deb13u1_ppc64el.deb e1e877012c173b8bc00d4ddcedda59e6c0732519 82664 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_ppc64el.deb 98e80df2edb8df709142a307997868b77061fad6 10923 nodejs_20.19.2+dfsg-1+deb13u1_ppc64el-buildd.buildinfo b5df6731b307c4935512ffd73f8a6e5c085593c3 353040 nodejs_20.19.2+dfsg-1+deb13u1_ppc64el.deb Checksums-Sha256: d3a77e4d0ac21c1010f69c6f5ce6fc2e7f664f1cbd6d391a738bc76aa7a9de99 536284 libnode-dev_20.19.2+dfsg-1+deb13u1_ppc64el.deb 60a4b7fc23e3a5a60b0deb2d1ac3123d7e917034a35f2b4819049a3482943f58 1037172744 libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_ppc64el.deb f31bcb984278a98f849eafd65d97c5226dac75a7c29b4c88efb95a09b74fdddc 12311404 libnode115_20.19.2+dfsg-1+deb13u1_ppc64el.deb b4536d78a1f0fc8cd52f767c7995753aaf32616c873b8231714c7f11f781cc61 82664 nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_ppc64el.deb 090d4d4fe199f98ed4e666be342c928081c48be3984db37049312f966b8b5fda 10923 nodejs_20.19.2+dfsg-1+deb13u1_ppc64el-buildd.buildinfo 60607bde97a41b7814d831553f1b0e6af4294bdfeab91411731a5fe111d26445 353040 nodejs_20.19.2+dfsg-1+deb13u1_ppc64el.deb Files: ceecd66ba3abfb16d06469890d30f693 536284 libdevel optional libnode-dev_20.19.2+dfsg-1+deb13u1_ppc64el.deb e2ebf1b0438aed8128a590a83f9e2c52 1037172744 debug optional libnode115-dbgsym_20.19.2+dfsg-1+deb13u1_ppc64el.deb 4dd645aa5d301c7e4973cf905abc810b 12311404 libs optional libnode115_20.19.2+dfsg-1+deb13u1_ppc64el.deb 4352e2ed714bec25ac14f1111857c40e 82664 debug optional nodejs-dbgsym_20.19.2+dfsg-1+deb13u1_ppc64el.deb bdaf112b2046d4f0598c9b00b6dfeac7 10923 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_ppc64el-buildd.buildinfo 9e3406ff448cbdb58318d16c0378fe60 353040 javascript optional nodejs_20.19.2+dfsg-1+deb13u1_ppc64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEYo4fOZBRi9qmvTxH1PowSTJ8+YQFAmm0jaoACgkQ1PowSTJ8 +YSudhAAr/b3ELmY6cQkQEY0Yfhtl1n3Zl0Ew4zaHcPc7Y1UUasJrqJOZlsNioq0 Iravxk1d0wTqjd/ymvQmhUDMkbTUAFbAqtcWdPXAioYAVf1Khioo4En3hS7Ki9at eFeKuscIS1oe3dU0/nGYNP7L0zD7YxvY0wZR0uyj0CRtc9MGA6xTvcoktC7QQjdh gegpqF8IVhnyr5mwAQJk+Y4Nvthchfyus72O8i2ftT8+U6fOHodY10v2KOUdiUo1 ZRTmiB/Uh0mglPxhhDYJxBrqbAfh2N4vTNiZIcd0vy4uDow6SzM394r+InEJpwVQ nr88fmUYZPUSKXDLIk/IMxQwkS5FtjF+y5CnhFGcYnAiSqTpYSepG7f0RmpytZCb ANYR7m/KmHboUeF3WK5rVvNn1DTVOmNNfqvJjLkjhH1BnJpKhgbOSI3mkVYJH7P/ MMgwu52mma0b1Sg4T9aKYuPq8OtLfiQ/cSTTeSGTrg4+zEFy0II6BzOtdUlIMJ5n a0SZtirucpLJycXH9o0Bw98hBoJnIGtw0oFtUVuoUKlKllfOcgMdlzZ4RpabxvEH bbtd/ENzFXYJwnz1WeTw8sN3a2TDL6HC0b+zbT3hMKxAIFbQ1FuV9fx27pjIGV4K z1OGcBZ/LN6aIZMPHM4IUG9Q8H/pS30kcH7AT6KmdT6Jc0o+2MM= =/B9a -----END PGP SIGNATURE-----