-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 Sep 2024 11:29:46 +0000
Source: nodejs
Architecture: source
Version: 12.22.12~dfsg-1~deb11u5
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>
Changed-By: Bastien Roucariès <rouca@debian.org>
Changes:
nodejs (12.22.12~dfsg-1~deb11u5) bullseye-security; urgency=medium
.
* Non maintainer upload by LTS team
.
[Jérémy Lal]
* Fix test suite
.
[Bastien Roucariès]
* Fix CVE-2023-30589: The llhttp parser in the http module
does not strictly use the CRLF sequence to delimit HTTP requests.
This can lead to HTTP Request Smuggling (HRS).
The CR character (without LF) is sufficient to delimit
HTTP header fields in the llhttp parser. According to RFC7230
section 3, only the CRLF sequence should delimit each header-field
* Fix CVE-2023-30590: clarify behavior of DH generateKeys
* Fix CVE-2023-32559: A privilege escalation vulnerability exists
in the experimental policy mechanism.
The use of the deprecated API `process.binding()` can bypass
the policy mechanism by requiring internal modules and
eventually take advantage of `process.binding('spawn_sync')`
run arbitrary code, outside of the limits defined in
a `policy.json` file
* Fix CVE-2023-46809: fix OpenSSL Marvin Attack.
* Fix CVE-2024-22019: A vulnerability in Node.js HTTP servers
allowed an attacker to send a specially crafted HTTP request
with chunked encoding, leading to resource exhaustion and
denial of service (DoS). The server reads an unbounded number
of bytes from a single connection, exploiting the lack of
limitations on chunk extension bytes.
* Fix CVE-2024-22025: A vulnerability in Node.js has been identified,
allowing for a Denial of Service (DoS) attack through resource
exhaustion when using the fetch() function to retrieve content from an
untrusted URL. The vulnerability stems from the fact that the fetch()
function in Node.js always decodes Brotli, making it possible for an
attacker to cause resource exhaustion when fetching content from an
untrusted URL. An attacker controlling the URL passed into fetch() can
exploit this vulnerability to exhaust memory, potentially leading to
process termination, depending on the system configuration.
* Fix CVE-2024-27982: Do not allow OBS fold in headers by default
A critical vulnerability was found in the http server, where
malformed headers can lead to HTTP request smuggling.
Specifically, if a space is placed before a
content-length header, it is not interpreted correctly, enabling
attackers to smuggle in a second request within the body of the first.
* Fix CVE-2024-27983: ensure to close stream when destroying session
An attacker can make the Node.js HTTP/2 server completely unavailable
by sending a small amount of HTTP/2 frames packets with a few
HTTP/2 frames inside. It is possible to leave some data in nghttp2
memory after reset when headers with HTTP/2 CONTINUATION frame are
sent to the server and then a TCP connection is abruptly closed by
the client triggering the Http2Session destructor while header
frames are still being processed (and stored in memory) causing
a race condition.
Checksums-Sha1:
744481e1ff46ff3606ad2a1e1785031d811c5140 3505 nodejs_12.22.12~dfsg-1~deb11u5.dsc
1fef218bb8d9f06059919565b50cc122dc10cebb 87112 nodejs_12.22.12~dfsg.orig-types-node.tar.xz
502cfe0a9691d3974ca79e9f82aa4eed6eb24380 19005908 nodejs_12.22.12~dfsg.orig.tar.xz
34e4edfc3e7c666dc0425e2ff5c988cd021864b4 172576 nodejs_12.22.12~dfsg-1~deb11u5.debian.tar.xz
904391484e54be019f5c84cdd45b128880e11db6 11108 nodejs_12.22.12~dfsg-1~deb11u5_amd64.buildinfo
Checksums-Sha256:
72b805f0043fb356dc8c942f91eb5d0ea295ecaa25e8d0d691ee1ca9facf08ca 3505 nodejs_12.22.12~dfsg-1~deb11u5.dsc
e640dd32d922eed23cd5dabf56600cfd335ea5ce3c756dc96024adebf94555f8 87112 nodejs_12.22.12~dfsg.orig-types-node.tar.xz
06f8eb29e52d5eb720c4ae2316b3c1b71efb12aa73bf27138f1cc776a7315aff 19005908 nodejs_12.22.12~dfsg.orig.tar.xz
156fe3906209e30c6fe144bb09a6c3d7ba6275b9b224cf88aca4b2c3de0de39e 172576 nodejs_12.22.12~dfsg-1~deb11u5.debian.tar.xz
7fe8ff791a54b06c24d8971c491db31c1a2c3cb6b6c211a7b1573186ceb410c4 11108 nodejs_12.22.12~dfsg-1~deb11u5_amd64.buildinfo
Files:
132010986e3666850091ded9060d21d3 3505 javascript optional nodejs_12.22.12~dfsg-1~deb11u5.dsc
b3dc69de461763b2918b81ef426fe0ff 87112 javascript optional nodejs_12.22.12~dfsg.orig-types-node.tar.xz
effb4e471c3cf4c7184d357a38985c56 19005908 javascript optional nodejs_12.22.12~dfsg.orig.tar.xz
36febbb08c606053f8c29b32c0a34325 172576 javascript optional nodejs_12.22.12~dfsg-1~deb11u5.debian.tar.xz
7dfabe5d62f242f2ca77896d29a06d34 11108 javascript optional nodejs_12.22.12~dfsg-1~deb11u5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmblofURHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF/7dA//earvpHg/TYeHNE2VJS61I0XqvAB5dyfL
oL26llwVo/zpzVkec/ZEAbx0u05XxULzdilyFXKqH8aGGyPI86JpoYXRNGHSBzPR
21BiINresWRk/fYVz5VbrW7zjocifk0oQLpg0eD2GXX+UNGlJVentjwq24VuB7my
r2uvas9T/WlMUfdW9bAjrJ2ng9lZFj7OSG8iJ2/uJJkJgvaS5Y3p2DL9dPw62Ppg
QyQsKi6hQbYPF/Jutt7eTqI4kZkSoUxCS3K0VwoOdtlHpQOW4Zh4x1J3RAjgyBp0
O8xC7dl/rDqh/BDdRUsZSRvOMJhgUa5zQQYdNOpcmzvJ6i4t6zQcBaG95JDrsnP9
FBMbm35uDh9TgIindOEX1AFsgVSDAuYAF5o3T5OH/GCCmLI5WK2x0eMv3ESjXLae
MGWvUgRLoUhWrpD89xBrp0+aSwZSG5yruw/bDgliWFCHw+U1pxrZP8ZtIiLrCh8Q
Wo8d3j6wrqj5S94djcoU5VWl9/v9JbXlAWkJZcgJWwLDIaFj2JivxIMpUQSXb3gk
uViJQdxMxFbnQkIeUNQDtXIaP69J8qp1w1HlLE+vmChUSAh6DVfpOIuC00BHthdx
JowzJY4qfoRx0nbRPO30i+5C76LQ3+4dS4DnhOgWYB6E5BuFaO06GZwo8cx5y74g
d2DtERIBTs4=
=BBQM
-----END PGP SIGNATURE-----
Attachment:
pgp2b03jC_Pc5.pgp
Description: PGP signature