[Git][security-tracker-team/security-tracker][master] nodejs DSA

Thu May 14 23:13:25 BST 2026


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ed98f828 by Moritz Mühlenhoff at 2026-05-14T22:59:50+02:00
nodejs DSA

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -146458,7 +146458,6 @@ CVE-2025-23167 (A flaw in Node.js 20's HTTP parser allows improper termination o
 	NOTE: Fixed by: https://github.com/nodejs/llhttp/commit/72f53095152740e176438cf7fe68742fe1cb7be8 (v9.0.1)
 CVE-2025-23166 (The C++ method SignTraits::DeriveBits() may incorrectly call ThrowExce ...)
 	- nodejs 20.19.2+dfsg-1 (bug #1105832)
-	[bookworm] - nodejs <postponed> (Fix along with next DSA)
 	[bullseye] - nodejs <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high
 	NOTE: Introduced by: https://github.com/nodejs/node/commit/e60841b598ed5246c8dfc24a779c6b1b732d4f87 (v16.14.0)
@@ -184918,7 +184917,6 @@ CVE-2025-0411 (7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability al
 CVE-2025-23085 (A memory leak could occur when a remote peer abruptly closes the socke ...)
 	{DSA-6166-1 DLA-4067-1}
 	- nodejs 20.18.2+dfsg-1 (bug #1094134)
-	[bookworm] - nodejs <postponed> (Fix along with next DSA)
 	NOTE: https://nodejs.org/en/blog/vulnerability/january-2025-security-releases#goaway-http2-frames-cause-memory-leak-outside-heap-cve-2025-23085---medium
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/3c7686163ed4c6ae3e5901b758b7a7d4fd5bb0c0 (v23.6.1)
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/6cc8d58e6f97c37c228f134bd9b98246c8871fb1 (v18.20.6)


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,6 @@
+[14 May 2026] DSA-6272-1 nodejs - security update
+	{CVE-2025-23085 CVE-2025-23166 CVE-2025-55131 CVE-2025-59465 CVE-2025-59466 CVE-2026-21710 CVE-2026-21713 CVE-2026-21714}
+	[bookworm] - nodejs 18.20.4+dfsg-1~deb12u2
 [14 May 2026] DSA-6271-1 gsasl - security update
 	[bookworm] - gsasl 2.2.0-1+deb12u1
 	[trixie] - gsasl 2.2.2-1.1+deb13u1


=====================================
data/dsa-needed.txt
=====================================
@@ -63,8 +63,6 @@ netty
 nginx
   Maintainer is preparing updates
 --
-nodejs/oldstable (jmm)
---
 openjpeg2 (jmm)
 --
 opennds/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed98f828998e9558e8fd28bbb9e172d2dc032aed

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed98f828998e9558e8fd28bbb9e172d2dc032aed
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260514/7088d4c7/attachment-0001.htm>
