[SECURITY] [DLA 4152-1] nodejs security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4152-1] nodejs security update
From: rouca@debian.org
Date: Fri, 2 May 2025 00:32:36 +0200
Message-id: <[🔎] 11946bca08060c96c06c4a3a88d0de6a@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4152-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
May 02, 2025                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : nodejs
Version        : 12.22.12~dfsg-1~deb11u7
CVE ID         : CVE-2025-47153
Debian Bug     : 922075 1076350

Node.js a popular server side javascript engine was affected by
a vulnerability on 32bits architecture.

Build processes for libuv and Node.js for 32-bit systems,
have an inconsistent off_t size (e.g., building on i386 Debian always uses
_FILE_OFFSET_BITS=64 for the libuv dynamic library,
but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs),
leading to out-of-bounds access.

Following reverse dependencies were also rebuilt in order to fix the
vulnerability:
node-expat
node-iconv
node-leveldown
node-modern-syslog
node-nodedbi
node-opencv
node-re2
node-sqlite3
node-sass
node-srs
node-websocket
node-zipfile
r-cran-v8

For Debian 11 bullseye, this problem has been fixed in version
12.22.12~dfsg-1~deb11u7.

We recommend that you upgrade your nodejs packages.

For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmgT9oMACgkQADoaLapB
CF9l5xAAr5qWjPQnb8fe9iDKJUV+R8UiRwmDAYJXx+nMPuSEOfK/6BF0jzabiNs3
xuRE+STcsQyNlt7vWHSj6FNjPqqoqsIBwJLykxava7TM9sNkB9IQ90yc2FszuGK3
aaCy9c+bhEyfq+wqPwg/4QI2PopjF2Xk8WgEA9B0CwIHnF7bJKvW0tXG2THtSU+r
RuTakV8aRN/Nx0i8T4rBcZEJtItKCrVQ7vWWG6QcWpThMVcGHMdJREfdFib8F9WH
MOM+plV2+LqJbjYjo23qhM+N+E/25CTwOX4UVjzbDSY5DEO10J9atBkE5oQGL1z1
70u3FcoLMcJxBVKrq8Y6y77rKmBWYFGcB6DD7S/+wJUzTm/53XbooJCZARnE4rSE
/5kS37vTeMFw7hGk6Rm/iKWXj2qRoRxO36NaxS5J+9lMeDa+LdqJ2xzKnNjCsA40
/CKt+AXcTSI3c4LPcbqy9gw7j1jFbGgl78aceByzL2+Zi4ifrquVdRep0isc3ITz
0WEttZqtxPeEyk/jkuxHE54H2kZ4SSYpuOS4AZlevoaRbTqFVKvrzNBFMxn+Retj
+/YySsoBaHJINpCzO+HLrB5tqtf/4NTSFnTaFwt8AHdRlsizJd5EHcJ3S0SmAwXk
ZO7C/xvbhN2h/2nB+04XlRXu5/zkOnbSYJxYgJIJWery8LWGy40=
=0YZh
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4151-1] golang-github-gorilla-csrf security update
Next by Date: [SECURITY] [DLA 3695-2] ansible regression update
Previous by thread: [SECURITY] [DLA 4151-1] golang-github-gorilla-csrf security update
Next by thread: [SECURITY] [DLA 3695-2] ansible regression update
Index(es):
- Date
- Thread