Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ed98f828 by Moritz Mühlenhoff at 2026-05-14T22:59:50+02:00
nodejs DSA
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -146458,7 +146458,6 @@ CVE-2025-23167 (A flaw in Node.js 20's HTTP parser
allows improper termination o
NOTE: Fixed by:
https://github.com/nodejs/llhttp/commit/72f53095152740e176438cf7fe68742fe1cb7be8
(v9.0.1)
CVE-2025-23166 (The C++ method SignTraits::DeriveBits() may incorrectly call
ThrowExce ...)
- nodejs 20.19.2+dfsg-1 (bug #1105832)
- [bookworm] - nodejs <postponed> (Fix along with next DSA)
[bullseye] - nodejs <not-affected> (The vulnerable code was introduced
later)
NOTE:
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
NOTE: Introduced by:
https://github.com/nodejs/node/commit/e60841b598ed5246c8dfc24a779c6b1b732d4f87
(v16.14.0)
@@ -184918,7 +184917,6 @@ CVE-2025-0411 (7-Zip Mark-of-the-Web Bypass
Vulnerability. This vulnerability al
CVE-2025-23085 (A memory leak could occur when a remote peer abruptly closes
the socke ...)
{DSA-6166-1 DLA-4067-1}
- nodejs 20.18.2+dfsg-1 (bug #1094134)
- [bookworm] - nodejs <postponed> (Fix along with next DSA)
NOTE:
https://nodejs.org/en/blog/vulnerability/january-2025-security-releases#goaway-http2-frames-cause-memory-leak-outside-heap-cve-2025-23085---medium
NOTE: Fixed by:
https://github.com/nodejs/node/commit/3c7686163ed4c6ae3e5901b758b7a7d4fd5bb0c0
(v23.6.1)
NOTE: Fixed by:
https://github.com/nodejs/node/commit/6cc8d58e6f97c37c228f134bd9b98246c8871fb1
(v18.20.6)
=====================================
data/DSA/list
=====================================
@@ -1,3 +1,6 @@
+[14 May 2026] DSA-6272-1 nodejs - security update
+ {CVE-2025-23085 CVE-2025-23166 CVE-2025-55131 CVE-2025-59465
CVE-2025-59466 CVE-2026-21710 CVE-2026-21713 CVE-2026-21714}
+ [bookworm] - nodejs 18.20.4+dfsg-1~deb12u2
[14 May 2026] DSA-6271-1 gsasl - security update
[bookworm] - gsasl 2.2.0-1+deb12u1
[trixie] - gsasl 2.2.2-1.1+deb13u1
=====================================
data/dsa-needed.txt
=====================================
@@ -63,8 +63,6 @@ netty
nginx
Maintainer is preparing updates
--
-nodejs/oldstable (jmm)
---
openjpeg2 (jmm)
--
opennds/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed98f828998e9558e8fd28bbb9e172d2dc032aed
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed98f828998e9558e8fd28bbb9e172d2dc032aed
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
