Your message dated Sun, 26 Jan 2025 21:09:09 +0100 with message-id <z5awzwv9ksyww...@eldamar.lan> and subject line [ftpmas...@ftp-master.debian.org: Accepted nodejs 20.18.2+dfsg-1 (source) into unstable] has caused the Debian Bug report #1094134, regarding nodejs: CVE-2025-23083 CVE-2025-23085 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1094134: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094134 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nodejs Version: 20.18.1+dfsg-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for nodejs. CVE-2025-23083[0]: | With the aid of the diagnostics_channel utility, an event can be | hooked into whenever a worker thread is created. This is not limited | only to workers but also exposes internal workers, where an instance | of them can be fetched, and its constructor can be grabbed and | reinstated for malicious usage. This vulnerability affects | Permission Model users (--permission) on Node.js v20, v22, and v23. CVE-2025-23085[1]: | GOAWAY HTTP/2 frames cause memory leak outside heap If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-23083 https://www.cve.org/CVERecord?id=CVE-2025-23083 [1] https://security-tracker.debian.org/tracker/CVE-2025-23085 https://www.cve.org/CVERecord?id=CVE-2025-23085 [2] https://nodejs.org/en/blog/vulnerability/january-2025-security-releases Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: nodejs Source-Version: 20.18.2+dfsg-1 ----- Forwarded message from Debian FTP Masters <ftpmas...@ftp-master.debian.org> ----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 26 Jan 2025 16:31:48 +0100 Source: nodejs Architecture: source Version: 20.18.2+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net> Changed-By: Jérémy Lal <kapo...@melix.org> Changes: nodejs (20.18.2+dfsg-1) unstable; urgency=medium . * New upstream version 20.18.2+dfsg + CVE-2025-23083: Worker permission bypass via InternalWorker leak in diagnostics (High). + CVE-2025-23085: GOAWAY HTTP/2 frames cause memory leak outside heap (Medium). Checksums-Sha1: 85db7463906fa905c49c99879e4fea7148d00587 4377 nodejs_20.18.2+dfsg-1.dsc 36d594cccc87915a298fccaa4f30843f6a7af2ec 274900 nodejs_20.18.2+dfsg.orig-ada.tar.xz 8d0ae83f8a0e0af54d3799b17887c8148c273205 300624 nodejs_20.18.2+dfsg.orig-types-node.tar.xz efd903039b54433bff2ab04e2e8ca38975515552 19455612 nodejs_20.18.2+dfsg.orig.tar.xz dce7a256ce83bce897249381618b4c0cbb65c26a 159708 nodejs_20.18.2+dfsg-1.debian.tar.xz ec6017ad9c5396e7e636adf747454284ee31fd4e 11714 nodejs_20.18.2+dfsg-1_source.buildinfo Checksums-Sha256: a41ca9b752d5bb4115c0c9f3d571d7b401b91de7661307f1dafb46b02c67152d 4377 nodejs_20.18.2+dfsg-1.dsc 26deff017c505b316f2498aaf293c896f4ab92b5349b367cf21fe14fa2cbd1e1 274900 nodejs_20.18.2+dfsg.orig-ada.tar.xz bbce097408c158b4af7320f0e40c76dea4f4c289e1c6fd079aacbbb7e7fc963e 300624 nodejs_20.18.2+dfsg.orig-types-node.tar.xz cf352efa6172aa13c5208441f2d5a6d84e76edfc94ed68a0db8069a2780cd6c2 19455612 nodejs_20.18.2+dfsg.orig.tar.xz 138fdf24fbefe4c8ef4f8c7d490cd6ffa1019b20b3160a81e99c17d3a18f6620 159708 nodejs_20.18.2+dfsg-1.debian.tar.xz fd65282ea17afd1c8db4aa2dd3412eb7d01b54bf7e300e9b0c3359180333d839 11714 nodejs_20.18.2+dfsg-1_source.buildinfo Files: e97f373529fa49f17c5bf39cbea8f33a 4377 javascript optional nodejs_20.18.2+dfsg-1.dsc fd9ff3be8b8b43905dd24c5af24aab16 274900 javascript optional nodejs_20.18.2+dfsg.orig-ada.tar.xz a8e00187c13c08d0c58d0f5cd6de96d7 300624 javascript optional nodejs_20.18.2+dfsg.orig-types-node.tar.xz 4cb52fbbcc46ba8fa45bfdb9dadf2c54 19455612 javascript optional nodejs_20.18.2+dfsg.orig.tar.xz 345fd0567ac98b91529137af4eb3eb65 159708 javascript optional nodejs_20.18.2+dfsg-1.debian.tar.xz ba6f3f69622745a48e98f25ca4953f05 11714 javascript optional nodejs_20.18.2+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmeWVYUSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0fFkP/iSB2A4Qvl9Jp4QWeL56dphgbxSezZAO FB/5z1ZdIFaqcemQ86+FkFYwRyKMYvq4FuUh+C7dNYBTpyTdcN7bZccM/aeC8Gsw QR7G4vlzqqXybMChdmvctIviwBG3bBTmnp1STZbyR6jM7CGvkUsooHg0bW2lTI9+ ZdUPiQu0IG6rbgatHNTTAdaekKSnrbcmYF+RSmeY0yZ/wMaL5JmPYavQ3rcCdlpd H44D3Sc1D9Zzeii+VzULrHrT4sw1aePjWbsMjFFHYRhdg404H/znByH6jkEygCJ0 PpixZ0mR+50mDNwXnzh0xTp8bvMSSvBTgYQ0fpY/gYBxUGm4LIzQ32tNakn2TdZR V7n4X3loA5KysbzKol6NIH3lcQzcY6/stD+xiB+fWGMz+WgxCtnevD6IcX5S3dSE cDGgKi5hKTDnz9FKc9ORGTCQbY3rC3Ma1axR9RnTzrlNIB8Bo+x5LQ9vSDTvrcVf OVk8ZCwdXhiMD++MpBsTk5NxeQU6XjaG5jWxmUrgy0EamCcj/g2k/ktibKP+LScz sIUR/xQGLj2/uzUxDccm9VU/HdFYOvF4GQWEi5aEbMHh2mF0J9/4QLY3o7pnixwK 5JSLallBLx7SsgvPEt75phDevxv8Qco6ek6Lz3yezHLSevnh2gWRz4iO6daJEAa3 brZtk5yTdmSt =3pi3 -----END PGP SIGNATURE----- ----- End forwarded message -----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
