-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 20 Dec 2023 18:07:36 +0100 Source: nodejs Binary: libnode-dev libnode108 libnode108-dbgsym nodejs nodejs-dbgsym Architecture: arm64 Version: 18.19.0+dfsg-6~deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: arm Build Daemon (arm-ubc-03) Changed-By: Jérémy Lal Description: libnode-dev - evented I/O for V8 javascript (development files) libnode108 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable Closes: 1031834 1039990 1050739 1054892 Changes: nodejs (18.19.0+dfsg-6~deb12u1) bookworm-security; urgency=medium . * Upstream update. * CVE-2023-23918: Permissions policies can be bypassed via process.mainModule. Closes #1031834. * CVE-2023-23919: OpenSSL error handling issues in nodejs crypto library. Closes: #1031834. * CVE-2023-23920: Insecure loading of ICU data through ICU_DATA environment variable. Closes: #1031834. * CVE-2023-30590: DiffieHellman do not generate keys after setting a private key. Closes: #1039990. * CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR. Closes: #1039990. * CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates. Closes: #1039990. * CVE-2023-32559: Permissions policies can be bypassed via process.binding. Closes: #1050739. * CVE-2023-30581: mainModule.proto bypass experimental policy mechanism. Closes: #1039990. * CVE-2023-32002: Permissions policies can be bypassed via Module._load. Closes: #1050739. * CVE-2023-32006: Permissions policies can impersonate other modules in using module.constructor.createRequire(). Closes: #1050739. * CVE-2023-38552: Integrity checks according to policies can be circumvented. Closes: #1054892. * CVE-2023-39333: Code injection via WebAssembly export names. Closes: #1054892. Checksums-Sha1: 733525bf97f575045a0cf7e851e00000938d75de 503320 libnode-dev_18.19.0+dfsg-6~deb12u1_arm64.deb 6fc89fcea37c40c8bfbc2b953c45c2b1ae2a3399 882246440 libnode108-dbgsym_18.19.0+dfsg-6~deb12u1_arm64.deb ab9d0055b7bbf68ed225a24c1ea9a590a60c905e 9580024 libnode108_18.19.0+dfsg-6~deb12u1_arm64.deb 46e09305a37b3516e1c122aa67ffc57bb2885f0d 68760 nodejs-dbgsym_18.19.0+dfsg-6~deb12u1_arm64.deb f73d9622232b7578af14276038a26a6fc89a595a 10836 nodejs_18.19.0+dfsg-6~deb12u1_arm64-buildd.buildinfo f52606bd77f842cf69103ad60be9a1bff0a24313 318796 nodejs_18.19.0+dfsg-6~deb12u1_arm64.deb Checksums-Sha256: 03edb44c06ba0381d86f5bded2215b32ca81ed943687b957bff5681e5a95fc76 503320 libnode-dev_18.19.0+dfsg-6~deb12u1_arm64.deb 1b795b97552b7a7f13f64ec1b6b84ecdbdc512b233c430aaea8bd6c813703545 882246440 libnode108-dbgsym_18.19.0+dfsg-6~deb12u1_arm64.deb 0224b4d5eab6a2317972e57508d406d5d134208e9a0e66a761e9f747c0992d47 9580024 libnode108_18.19.0+dfsg-6~deb12u1_arm64.deb 43275176ae7506a47fa83557ecf9e207e134cda2f6dda4ac1aba27d7937aaad2 68760 nodejs-dbgsym_18.19.0+dfsg-6~deb12u1_arm64.deb 060f1f1912caeafac93d306e24556cc9a604e65458bb368683e261f1dfdc919a 10836 nodejs_18.19.0+dfsg-6~deb12u1_arm64-buildd.buildinfo 9f893de648024c9c7be6e87cafdb09ed5571e4d77d265973aa57e931fed8b675 318796 nodejs_18.19.0+dfsg-6~deb12u1_arm64.deb Files: 33c2168f9c718073751e459fc1f94ce8 503320 libdevel optional libnode-dev_18.19.0+dfsg-6~deb12u1_arm64.deb 31dc5e4edb7b97ed4c302f3de84e0e59 882246440 debug optional libnode108-dbgsym_18.19.0+dfsg-6~deb12u1_arm64.deb 904365850d0ded3a57aaac3dd95252d7 9580024 libs optional libnode108_18.19.0+dfsg-6~deb12u1_arm64.deb 1c0f8cebf6cfa8e222091101dae5af1f 68760 debug optional nodejs-dbgsym_18.19.0+dfsg-6~deb12u1_arm64.deb 06f32cf64b894f3256e86e03d5601e32 10836 javascript optional nodejs_18.19.0+dfsg-6~deb12u1_arm64-buildd.buildinfo 7458121b99ad4d3e61cf2d63e8305299 318796 javascript optional nodejs_18.19.0+dfsg-6~deb12u1_arm64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEV2QMHg/7F9BmqsxiZLztDiV8cXAFAmWGH8AACgkQZLztDiV8 cXBI4RAAwClq60siwYb+MnuA55gGoE9zQ4/Kt5Ddxcb5YXhkudUZ7TSHfsTXE9eO ZASD3GteGS3jpyq9Pf2qL5MJS2y098ldgu9GzY1NlOwpSLRhhd0Y4x5NQIld1wrW R/9M/nV0QWSPFuaiY1x6OjFnkq3vm+ce/Kz3Q0qrjLZ3ikdriWRECA1eNJY8mqjD 1IDfeMljCMNksHzfs3h3EXWhboIL5qMym/uVcFweikI7aP+dNVrgqyUkRLQq9WRl Q6R+kybhg2Y6Ll0q+KWqTlUyP7ILSZ7Frmy/SsgoYZOsl/GMrAgDIF91QtAIOtOX QV6aVkyOx2oxwbnB+jCfGNxFpcb19VIPybPouyKDTg2q3uhtWhbyysdnc8bv8GlM gZG4Z1qCnezTXJ4Wl2UrDdQfOOvTs6RyBvXNYB3altPWbdmEg8K27meYLWWh8TtO 7+73R1j5l/DhwolWr3cokF5RZMDsOccm4M2EMa+ITkwusQ5HD1VtC1nXCwfZ8LGn CacNntXCA83e+AiAOV/+H1KJNXyXzY3oMcNaOOAj4qcYcWEOHw1kDyIwRlbie6Nr j5loHEep3I6f5o6s5ID+1ZakKOhZh9jTRR2+lrPRZdAvwXXOovHQck9Hti01KISx PS9uYwaeJSxbuQLv3jYhDr6K5J2ZXDxCVmnpMdi43gOHLwSMbLI= =wQIR -----END PGP SIGNATURE-----