[SECURITY] [DLA 4152-1] nodejs security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4152-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
May 02, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : nodejs
Version : 12.22.12~dfsg-1~deb11u7
CVE ID : CVE-2025-47153
Debian Bug : 922075 1076350
Node.js a popular server side javascript engine was affected by
a vulnerability on 32bits architecture.
Build processes for libuv and Node.js for 32-bit systems,
have an inconsistent off_t size (e.g., building on i386 Debian always uses
_FILE_OFFSET_BITS=64 for the libuv dynamic library,
but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs),
leading to out-of-bounds access.
Following reverse dependencies were also rebuilt in order to fix the
vulnerability:
node-expat
node-iconv
node-leveldown
node-modern-syslog
node-nodedbi
node-opencv
node-re2
node-sqlite3
node-sass
node-srs
node-websocket
node-zipfile
r-cran-v8
For Debian 11 bullseye, this problem has been fixed in version
12.22.12~dfsg-1~deb11u7.
We recommend that you upgrade your nodejs packages.
For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmgT9oMACgkQADoaLapB
CF9l5xAAr5qWjPQnb8fe9iDKJUV+R8UiRwmDAYJXx+nMPuSEOfK/6BF0jzabiNs3
xuRE+STcsQyNlt7vWHSj6FNjPqqoqsIBwJLykxava7TM9sNkB9IQ90yc2FszuGK3
aaCy9c+bhEyfq+wqPwg/4QI2PopjF2Xk8WgEA9B0CwIHnF7bJKvW0tXG2THtSU+r
RuTakV8aRN/Nx0i8T4rBcZEJtItKCrVQ7vWWG6QcWpThMVcGHMdJREfdFib8F9WH
MOM+plV2+LqJbjYjo23qhM+N+E/25CTwOX4UVjzbDSY5DEO10J9atBkE5oQGL1z1
70u3FcoLMcJxBVKrq8Y6y77rKmBWYFGcB6DD7S/+wJUzTm/53XbooJCZARnE4rSE
/5kS37vTeMFw7hGk6Rm/iKWXj2qRoRxO36NaxS5J+9lMeDa+LdqJ2xzKnNjCsA40
/CKt+AXcTSI3c4LPcbqy9gw7j1jFbGgl78aceByzL2+Zi4ifrquVdRep0isc3ITz
0WEttZqtxPeEyk/jkuxHE54H2kZ4SSYpuOS4AZlevoaRbTqFVKvrzNBFMxn+Retj
+/YySsoBaHJINpCzO+HLrB5tqtf/4NTSFnTaFwt8AHdRlsizJd5EHcJ3S0SmAwXk
ZO7C/xvbhN2h/2nB+04XlRXu5/zkOnbSYJxYgJIJWery8LWGy40=
=0YZh
-----END PGP SIGNATURE-----
Reply to: