[Pkg-javascript-devel] Bug#1105832: marked as done (CVE-2025-23165 CVE-2025-23166)

[Debian Bug Tracking System]

Your message dated Sun, 18 May 2025 12:07:07 +0000
with message-id <e1ugcnl-00gllv...@fasolo.debian.org>
and subject line Bug#1105832: fixed in nodejs 20.19.2+dfsg-1
has caused the Debian Bug report #1105832,
regarding CVE-2025-23165 CVE-2025-23166
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1105832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105832
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: nodejs
Version: 20.19.0+dfsg1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for nodejs.

CVE-2025-23165[0]:
| Corrupted pointer in node::fs::ReadFileUtf8(const
| FunctionCallbackInfo<Value>& args) when args[0] is a string


CVE-2025-23166[1]:
| Improper error handling in async cryptographic operations
| crashes process


CVE-2025-23167[2]:
| Improper HTTP header block termination in llhttp


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-23165
    https://www.cve.org/CVERecord?id=CVE-2025-23165
    
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low
[1] https://security-tracker.debian.org/tracker/CVE-2025-23166
    https://www.cve.org/CVERecord?id=CVE-2025-23166
    
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
[2] https://security-tracker.debian.org/tracker/CVE-2025-23167
    https://www.cve.org/CVERecord?id=CVE-2025-23167
    
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: nodejs
Source-Version: 20.19.2+dfsg-1
Done: Jérémy Lal <kapo...@melix.org>

We believe that the bug you reported is fixed in the latest version of
nodejs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1105...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jérémy Lal <kapo...@melix.org> (supplier of updated nodejs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 14 May 2025 23:43:31 +0200
Source: nodejs
Architecture: source
Version: 20.19.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-devel@alioth-lists.debian.net>
Changed-By: Jérémy Lal <kapo...@melix.org>
Closes: 1105832
Changes:
 nodejs (20.19.2+dfsg-1) unstable; urgency=medium
 .
   * New upstream version 20.19.2+dfsg
     Security fixes: (Closes: #1105832)
     + CVE-2025-23165: add missing call to uv_fs_req_cleanup (low)
     + CVE-2025-23166: fix error handling on async crypto operations (high)
     + CVE-2025-23167: Improper HTTP header block termination in llhttp (medium)
   * Drop patch, applied upstream
   * Switch back to +dfsg suffix
Checksums-Sha1:
 f4cf9a6753cb5aa799204a93548e6b561966ac4a 4378 nodejs_20.19.2+dfsg-1.dsc
 36d594cccc87915a298fccaa4f30843f6a7af2ec 274900 
nodejs_20.19.2+dfsg.orig-ada.tar.xz
 c3753ad4a19367bb34d4b34d6f28276b8a139038 303700 
nodejs_20.19.2+dfsg.orig-types-node.tar.xz
 7ed7a340dc165334953d0a57eb4c2600e4d3081a 19886184 
nodejs_20.19.2+dfsg.orig.tar.xz
 48d7d7c417138a66cd21f9907b09394254ac16ad 158504 
nodejs_20.19.2+dfsg-1.debian.tar.xz
 91231e5e1c0f976837224caab9dcef44150aa65b 10656 
nodejs_20.19.2+dfsg-1_source.buildinfo
Checksums-Sha256:
 2a2523b22864337c3d4fdec45d2332f1a2138ed77af30916a21929fab703ba07 4378 
nodejs_20.19.2+dfsg-1.dsc
 26deff017c505b316f2498aaf293c896f4ab92b5349b367cf21fe14fa2cbd1e1 274900 
nodejs_20.19.2+dfsg.orig-ada.tar.xz
 cacb4b47fe0ad9250294545a33e5097c50b0a86f7bd1862cd73f99385f69a174 303700 
nodejs_20.19.2+dfsg.orig-types-node.tar.xz
 5e5559381ad031d245a8efa403458abbb73755f74c3e6380f185a4dd342b7949 19886184 
nodejs_20.19.2+dfsg.orig.tar.xz
 921416e0ac838b90c13ff6af8f3b73feb34c44dbea22a8886bbf3cd6abbbce91 158504 
nodejs_20.19.2+dfsg-1.debian.tar.xz
 8eb84bb07e39a6a22d301719019d4475226b5e92dca8c5a6b752e64818cd6b1b 10656 
nodejs_20.19.2+dfsg-1_source.buildinfo
Files:
 ea2475fc2fbf8c89c8dd07f512bf3e14 4378 javascript optional 
nodejs_20.19.2+dfsg-1.dsc
 fd9ff3be8b8b43905dd24c5af24aab16 274900 javascript optional 
nodejs_20.19.2+dfsg.orig-ada.tar.xz
 a1bc896abb59372639fc59c82e40a517 303700 javascript optional 
nodejs_20.19.2+dfsg.orig-types-node.tar.xz
 8b4b3615193af364ccde831591e81402 19886184 javascript optional 
nodejs_20.19.2+dfsg.orig.tar.xz
 1a123d74e714ff3f2bb25dd537474919 158504 javascript optional 
nodejs_20.19.2+dfsg-1.debian.tar.xz
 a43cf754a264e66cfcfd7b255834cffc 10656 javascript optional 
nodejs_20.19.2+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmgpt+kSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN03AYP/1xarBKr3RZcmFtjd7OEUvIyhTiADxih
7XTnfLYzpSzVa59pQrKhS8eok3Rt5XgHi35fWb4xQmGZDB3JO8ZYQ4NCKPHv2Yo2
Ihnt+8udTm7cJN+QlGpgiJGc/DSbg+fXRvOepUyXI+HTMrv+sAkgRxXBn/WxOLZE
MdBBHoklB+vvUq5EsM2wMY9+llEFJPO5Bgg5pwhZxbrGioRaYjFXG3whmfiEyCNO
giR3X9BISk8SRYFfjMtWxB/fYxtAoBonJ2QASdAWatRTLJdYxT68cYjpiIq6/ilA
ObQhaexKMDdc8vcfdAFVi6Snjb0MqQq3Rj8jEZkHY71d/LewY8PQwDpZCDAv+YYK
kkz+ichqOIILf4lsGzFDQ2hKja63iiwUjtqVZRIWReyzp9xr4LNJZRqBgh7TDPP2
n3fByunwPRi89YcnqG+H7SA2CGDPdGNXDOIZQKm8xCrh9tfW6MHUp3gor/y6XUwt
NobvvnDYQdlo8wPoKVtmHsF+ZWv3CBwzFo+8VK4It0FekeJnNdUqNRChPvsIGmNp
4dfuED8M1aUKwLmmZ0NX1xXkfLYL8r+6vPA9+A7Qb2hr50uCnIW5VJMlWyI+4DBr
Cnssc4b/ttrRxV1baxYTxGRoCR2kk6A2+Ctl/spE4h0U+Tk0raIZuw8ZDezjzWGp
z3x58p1+60Jj
=Cuhx
-----END PGP SIGNATURE-----

pgpP7SQPY9PAt.pgp
Description: PGP signature

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel