-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 09 Jul 2024 17:36:33 +0200 Source: nodejs Binary: libnode-dev libnode108 nodejs nodejs-doc Architecture: source amd64 all Version: 18.20.4+dfsg-1~deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Jérémy Lal Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable nodejs-doc - API documentation for Node.js, the javascript platform Closes: 922075 1074047 1076350 1086652 Changes: nodejs (18.20.4+dfsg-1~deb12u1) bookworm-security; urgency=medium . * New upstream version 18.20.4+dfsg. Closes: #1074047. * M.U.T.: bump ada to 2.7.8, keep node-types to 18.18.14 for compatibility with other packages. * test-runner-output is flaky on slow platforms * Disable test-cluster-primary-* flaky/hanging tests. * Fix test failing with openssl 3.0.14. Closes: #1086652. * CVE-2024-22020: Bypass network import restriction via data URL (Medium) * CVE-2024-36138: Bypass incomplete fix of CVE-2024-27980 (High) * CVE-2024-27983: Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash (High) * CVE-2024-27982: HTTP Request Smuggling via Content Length Obfuscation (Medium) * CVE-2024-22025: Denial of Service by resource exhaustion in fetch() brotli decoding (Medium) * CVE-2024-21892: Code injection and privilege escalation through Linux capabilities (High) * CVE-2024-22019: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (High) * CVE-2023-46809: Node.js is vulnerable to the Marvin Attack (Medium) * Static link on 32bits architecture libuv. Closes: #922075, #1076350. Thanks to Bastien Roucariès. Checksums-Sha1: 76413b35260e2bb56588e68654d5e54a186a1740 4359 nodejs_18.20.4+dfsg-1~deb12u1.dsc 4e580579ef4a73cf6ab060c74433501f292c18d3 272924 nodejs_18.20.4+dfsg.orig-ada.tar.xz 4cad22f4545483163b468271d06f425b15f1dcf0 267236 nodejs_18.20.4+dfsg.orig-types-node.tar.xz a0c8b9acf0982e9010edb24542aa83d55e65fbde 29390728 nodejs_18.20.4+dfsg.orig.tar.xz efebd919d4ae4873bbf9b2e3fe365fbba1574be9 169104 nodejs_18.20.4+dfsg-1~deb12u1.debian.tar.xz a06f8fb211d32325e7550a6c5726ce90a5d7cc3b 511368 libnode-dev_18.20.4+dfsg-1~deb12u1_amd64.deb fd519d1ef11df91d34499f8430db078f3b5e680d 10626484 libnode108_18.20.4+dfsg-1~deb12u1_amd64.deb 6de046fe960c3ef0f49bea92ad732a874de4c2b5 3578752 nodejs-doc_18.20.4+dfsg-1~deb12u1_all.deb 39febb2ce2af75dd635aef79d79346bb89cdfbc9 11456 nodejs_18.20.4+dfsg-1~deb12u1_amd64.buildinfo f9d9f762e7a0c1bc96ab4db0b31c77ce8f14c62e 319312 nodejs_18.20.4+dfsg-1~deb12u1_amd64.deb Checksums-Sha256: e872fc45081a436c62539c035c6eefab2abd83e66fa2752ab1a6f4a477857a27 4359 nodejs_18.20.4+dfsg-1~deb12u1.dsc b58fd8b7ef61255b66d42b66e32e74ccdde61c4e02facd6b5a566618e32e993e 272924 nodejs_18.20.4+dfsg.orig-ada.tar.xz 5bd8293f0adfb7bc744e3071bdbd184fd02f973931396ba816ff61514ecd62a9 267236 nodejs_18.20.4+dfsg.orig-types-node.tar.xz 6ce58062c71eae37d9c5ac31eeaeff9c2d48561d21c2849179d056c9c1bd9ebc 29390728 nodejs_18.20.4+dfsg.orig.tar.xz bd8b2acac5b28e88c3a452246b9c49de3c59814d33eae46c28173cac6de7a3b7 169104 nodejs_18.20.4+dfsg-1~deb12u1.debian.tar.xz b88033e2e6ea9d151f43c2f161c29989e09d8cbe6b8b8707b9c8a2bcb53f5674 511368 libnode-dev_18.20.4+dfsg-1~deb12u1_amd64.deb 6b65a9d012a8822964bdc7dd7dc35a277c10e371bf057b30c1e41dfad09d3b64 10626484 libnode108_18.20.4+dfsg-1~deb12u1_amd64.deb 001502044dbbe143c94c680f1b618df94c285c19c467b237f0afa5f5df3fec47 3578752 nodejs-doc_18.20.4+dfsg-1~deb12u1_all.deb 35ca205c33791474e85a12e6ed2cda058d18669b20487e4daefc67ea0ee6d328 11456 nodejs_18.20.4+dfsg-1~deb12u1_amd64.buildinfo 30571c0188b04916112205268ac0b2740f02abac0a4e807b1730ea7df81a650f 319312 nodejs_18.20.4+dfsg-1~deb12u1_amd64.deb Files: d7a7712ea0fe9fdf293eed32e7a25ea8 4359 javascript optional nodejs_18.20.4+dfsg-1~deb12u1.dsc 774dbd4a3931a17737b3c27a7a67d587 272924 javascript optional nodejs_18.20.4+dfsg.orig-ada.tar.xz 8cabd2aa436c05f698a17368826a8645 267236 javascript optional nodejs_18.20.4+dfsg.orig-types-node.tar.xz 157a1ca8a7c3ca2465402e0326511581 29390728 javascript optional nodejs_18.20.4+dfsg.orig.tar.xz 6684db37386ed58a59c99a8756add91a 169104 javascript optional nodejs_18.20.4+dfsg-1~deb12u1.debian.tar.xz 88989532bbf115aad8ee46e271f522cb 511368 libdevel optional libnode-dev_18.20.4+dfsg-1~deb12u1_amd64.deb df9ac0656df9e964ca6f0f29701aefaa 10626484 libs optional libnode108_18.20.4+dfsg-1~deb12u1_amd64.deb 08e8da385d41c4c314309d40eac83432 3578752 doc optional nodejs-doc_18.20.4+dfsg-1~deb12u1_all.deb 4c5db4b673a6f4c378fd78537a8c770b 11456 javascript optional nodejs_18.20.4+dfsg-1~deb12u1_amd64.buildinfo 1e3bafbcaa5373d15fc73826cbe35483 319312 javascript optional nodejs_18.20.4+dfsg-1~deb12u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmirp4MSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0suUQAIFsFTYVeSbUQ6e/MJET2W4mdOPUhg40 ZKqLAzBEkvYc8Qm+lAHfZpeNnG2b3ETf5CInjlKFt7ZV9yTdxVnpZslx1TEAk8r2 uBQzDZRogPJZGgfg7df3BgQ2/labolsSiwLGdtuHS3pbhy1G9cPPjHnSQ8OXM9UX qE9Gxz6kMXdnHwWPdkJVNiGY819K6r5w4d+YwsEgEVMbMkukoXnGpG2ODI4/Jnjj Eww8OdKJNgA8smRzUFNW1kAN3a+xeL100FIphQ171Lm+YwxCieVI8rkFq37d1nBd PYGVx0iBW6fLJq59sHeTV2MpYQFVkRSGpt86UKv/dx/hrl6y6hM2VBmDa/IuMC3F 5XBkp/YlhXAIK0sFE9fHXeHccg0T+bOGhaakHBNskuLTZmj2tT5qr+hGXfcA4fDI Cw1kpGsxPKxd8NbttCmIH2Rb5Oa7vjcPGpJy752D6CL8Hp2Z8SMLqyetgk2cIecD 19EsYhu9yn9cZr+TG55sIVNS2rqFCidjFJj5Er463jVkIdet6uN9qB0xRu4N1ep0 vZadXt7ghQC4aOc2gDRVMXRrf3n8tJMeh6ZwmixbCYx8jp0NOzZXy36TKb4oTHtr 0LmbJq561xkUFwgIgI6e62g0fhEdRpRToy5jp2Ka8mwi9KqvLTPziBYjMMRrH/MX zIX9PoGePwkC =6PZ8 -----END PGP SIGNATURE-----