Debian Patches

Status for nodejs/18.20.4+dfsg-1~deb12u2

Patch Description Author Forwarded Bugs Origin Last update
libuv/fix-cve-2024-24806 Fix CVE-2024-24806 From upstream change log:
Merge pull request from GHSA-f74f-cvh7-c6q6
* fix: always zero-terminate idna output
* fix: reject zero-length idna inputs
* test: empty strings are not valid IDNA
.
See also https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
git diff v1.48.0~5..v1.48.0~2
===================================================================		 yes debian upstream https://github.com/libuv/libuv
CVE-2025-55131.patch src,lib: refactor unsafe buffer creation to remove zero-fill toggle
This removes the zero-fill toggle mechanism that allowed JavaScript
to control ArrayBuffer initialization via shared memory. Instead,
unsafe buffer creation now uses a dedicated C++ API.		 ChALkeR Nikita Skovoroda <chalkerx@gmail.com> no backport, https://github.com/nodejs/node/commit/51f4de4b4a52b5b0eb2c63ecbb4126577e05f636 2026-04-06
CVE-2025-59465.patch lib: add TLSSocket default error handler
This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```		 RafaelGSS <rafael.nunu@hotmail.com> no 2025-10-31
CVE-2025-59466.patch src: rethrow stack overflow exceptions in async_hooks When a stack overflow exception occurs during async_hooks callbacks (which use
TryCatchScope::kFatal),
detect the specific "Maximum call stack size exceeded" RangeError and
re-throw it instead of immediately calling FatalException. This allows user
code to catch the exception with try-catch blocks instead of requiring
uncaughtException handlers.

The implementation adds IsStackOverflowError() helper to detect stack
overflow RangeErrors and re-throws them in TryCatchScope destructor
instead of calling FatalException.

This fixes the issue where async_hooks would cause stack overflow
exceptions to exit with code 7 (kExceptionInFatalExceptionHandler)
instead of being catchable.		 Matteo Collina <hello@matteocollina.com> yes upstream backport, https://github.com/nodejs/node/commit/d7a5c587c02ebe18f9fe4de986bac55d80c2868f 2026-04-26
CVE-2025-23085.patch src: fix HTTP2 mem leak on premature close and ERR_PROTO
This commit fixes a memory leak when the socket is
suddenly closed by the peer (without GOAWAY notification)
and when invalid header (by nghttp2) is identified and the
connection is terminated by peer.		 RafaelGSS <rafael.nunu@hotmail.com> no https://github.com/nodejs/node/commit/6cc8d58e6f97c37c228f134bd9b98246c8871fb1 2024-12-17
build/openssl_config_explicit_lower.patch Add a CipherString for nodejs
If the default security level is overwritten at build time of openssl
then it is needed to lower it again for nodejs in order to pass the
testsuite because it is using smoil keys.		 Sebastian Andrzej Siewior <sebastian@breakpoint.cc> no 2022-09-23
build/openssl_3011_without_new_error_message.patch debian openssl in testing or sid (3.0.11, 3.1.4) does not seem to have that different behavior Jérémy Lal <kapouer@melix.org> no 2023-11-03
build/more_shareable_builtins.patch add acorn, walk to shared builtins Jérémy Lal <kapouer@melix.org> yes 2022-09-28
build/cctest_disable.patch do not build cctest, build broken on debian Jérémy Lal <kapouer@melix.org> invalid 2017-12-18
build/doc.patch build doc using marked and js-yaml While waiting for unified/remarked/rehyped modules to be available in debian Jérémy Lal <kapouer@melix.org> not-needed 2021-03-03
build/flag_atomic.patch Link to -latomic by default This avoids surprises on mips*el/ppc*el Jérémy Lal <kapouer@melix.org> not-needed upstream 2019-10-25
build/test_ci.patch adapt test-ci build target for buildd * run tests with ./node
* remove addons from test-ci suite, because it creates a dependency loop
nodejs -> node-gyp -> nodejs which is painful to manage.
* disabled because it requires stdin:
+ test-stdout-close-unref
+ test-regress-GH-746
* test-tick-processor fails on ppc64 and s390x, currently investigated
https://github.com/nodejs/node/issues/2471
* test-cluster-disconnect sometimes fails on busy buildd, forwarded upstream
https://github.com/nodejs/node/issues/3383
* test-fs-watch is flaky, might be related to https://github.com/nodejs/node/issues/4082
* huge timeout value for all platforms, buildd could be busy
* test-npm-install and test-release-npm must fail, debian package dfsg-repacked npm out
* ability to override CI_NATIVE_SUITES, CI_JS_SUITES
* disable tests failing because DNS is disabled
* sequential/test-http2-session-timeout is flaky https://github.com/nodejs/node/issues/20628		 Jérémy Lal <kapouer@melix.org> not-needed 2020-02-09
deps/cares.patch keep nodejs compatible with libc-ares public headers Jérémy Lal <kapouer@melix.org> not-needed 2021-10-20
deps/localhost-no-addrconfig.patch do not use dns.ADDRCONFIG for localhost it fails on IPv6-only systems. Setting it with libc fails on linux.
https://github.com/nodejs/node/issues/33279		 Jérémy Lal <kapouer@melix.org> yes debian 2020-06-11
deps/node_gyp.patch use system-installed node-gyp for building test modules Jérémy Lal <kapouer@melix.org> not-needed 2015-09-09
dfsg/benchmark_without_alice.patch a test uses a benchmark that read alice.html, dfsg excluded Jérémy Lal <kapouer@melix.org> not-needed 2020-03-04
dfsg/multilib_modules.patch Multiarch search path, arch triplet, DFHS path for modules "Bastien ROUCARIÈS" <roucaries.bastien@gmail.com> yes 2020-03-04
dfsg/privacy_breach.patch remove google font from template.html, and link to local Jérémy Lal <kapouer@melix.org> not-needed 2015-09-09
mips/compilation_error.patch fix compilation error on mipsel target Jérémy Lal <kapouer@melix.org> yes 2021-10-28
mips/fpu.patch use configuration directive to set mips fpu mode YunQiang Su <wzssyqa@gmail.com> yes 2015-09-29
mips/less_mem.patch mksnapshot uses too much memory on 32-bit mipsel Jérémy Lal <kapouer@melix.org> yes 2020-06-03
mips/mipsel_is_32.patch mipsel in debian supports 32-bit processors Jérémy Lal <kapouer@melix.org> not-needed 2021-11-03
mips/mipsel_even_register_fix.patch fix double register usage on mipsel Jérémy Lal <kapouer@melix.org> invalid 2022-06-15
build/skip-buffer-nan-internal-check.patch skip buffer NaN internal representation check this fails on whatever archs having other internal representations of NaN. Jérémy Lal <kapouer@melix.org> yes 2022-05-02
riscv/flaky_tests.patch test does not pass on riscv64 Jérémy Lal <kapouer@melix.org>, Bo YU <tsu.yubo@gmail.com> invalid 2022-12-14
armel/configure.patch allow vfp2 and allow setting arm_version option Jérémy Lal <kapouer@melix.org> yes 2022-08-29
build/doc_template_home.html fix link to home in html api Jérémy Lal <kapouer@melix.org> not-needed 2022-11-06
build/test_process_versions.patch Use system paths for builtins Jérémy Lal <kapouer@melix.org> not-needed 2023-02-22
arm64/stacksize.patch Harmonize V8 stack sizes on ARM architectures to match almost all other architectures James Addison <jay@jp-hosting.net> yes 2023-02-28
build/ada.patch build using ada upstream tarball component Jérémy Lal <kapouer@melix.org> not-needed 2023-11-30
build/disable_sea_dfsg_postject.patch disable test because it depends on postject, which is dfsg-excluded HELP is welcome to solve this Jérémy Lal <kapouer@melix.org> not-needed 2023-11-30
build/test_runner_escape_path.patch test runner output fails on some cwd - fix regexp Jérémy Lal <kapouer@melix.org> yes 2023-11-30
mips/flaky_tests.patch some tests fail on mips64el and mipsel That architecture support improves over time - node 20.x branch has better support for mips64el
Meanwhile, let those tests fail.		 not-needed
build/openssl_3014.patch openssl 3.0.14 returns a different code. not-needed
libuv/0000-bookworm-sync.patch Get libuv nodejs in sync with libuv/bookworm

===================================================================		 Bastien Roucariès <rouca@debian.org> not-needed 2025-04-27
CVE-2025-23166.patch src: fix error handling on async crypto operations RafaelGSS <rafael.nunu@hotmail.com> no backport, https://github.com/nodejs/node/commit/6c57465920cf1b981a63031e71b1e4a73bf9beaa 2025-05-12
libuv/path_max_zero_st_size fix undefined path_max for st_size zero The downstream 'path_max' patch in Debian sets the buffer size
for readlink() to the 'st_size' value obtained with lstat().
.
However, it might be zero for some symlinks in /proc on Linux
(notably /proc/self) leading to readlink() failing with EINVAL.
.
$ strace -e lstat stat /proc/self 2>&1 \
| grep -e lstat -e File: -e Size:
lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
File: /proc/self -> 30875
Size: 0 Blocks: 0 IO Block: 1024 symbolic link
.
This causes readlink (tool) to files like /dev/stdin to fail,
which may link to /proc/self/fd/0 on containers or elsewhere.
.
Test-case:
.
ubuntu@cosmic:~/node$
$ strace -E LD_LIBRARY_PATH=/usr/local/lib/ -f -e lstat,readlink \
node test/parallel/test-fs-realpath-pipe.js
.
With path_max:
.
[pid 17785] lstat("/dev", {st_mode=S_IFDIR|0755, st_size=480, ...}) = 0
[pid 17786] lstat("/dev/stdin", {st_mode=S_IFLNK|0777, st_size=15, ...}) = 0
[pid 17788] lstat("/dev/stdin", {st_mode=S_IFLNK|0777, st_size=15, ...}) = 0
[pid 17788] readlink("/dev/stdin", "/proc/self/fd/0", 15) = 15
.
[pid 17785] lstat("/proc", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
[pid 17786] lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
[pid 17788] lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
[pid 17788] readlink("/proc/self", 0x7f2a6c000b40, 0) = -1 EINVAL (Invalid argument)
.
Without path_max:
.
[pid 18114] lstat("/dev", {st_mode=S_IFDIR|0755, st_size=480, ...}) = 0
[pid 18114] lstat("/dev/stdin", {st_mode=S_IFLNK|0777, st_size=15, ...}) = 0
[pid 18114] readlink("/dev/stdin", "/proc/self/fd/0", 4096) = 15
.
[pid 18114] lstat("/proc", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
[pid 18114] lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
[pid 18114] readlink("/proc/self", "18114", 4096) = 5
.
[pid 18114] lstat("/proc/18114", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
[pid 18114] lstat("/proc/18114/fd", {st_mode=S_IFDIR|0500, st_size=0, ...}) = 0
[pid 18114] lstat("/proc/18114/fd/0", {st_mode=S_IFLNK|0700, st_size=64, ...}) = 0
[pid 18114] readlink("/proc/18114/fd/0", "socket:[199607]", 4096) = 15
.
With this patch on top of path_max:
.
[pid 18433] lstat("/dev", {st_mode=S_IFDIR|0755, st_size=480, ...}) = 0
[pid 18433] lstat("/dev/stdin", {st_mode=S_IFLNK|0777, st_size=15, ...}) = 0
[pid 18433] lstat("/dev/stdin", {st_mode=S_IFLNK|0777, st_size=15, ...}) = 0
[pid 18433] readlink("/dev/stdin", "/proc/self/fd/0", 15) = 15
.
[pid 18433] lstat("/proc", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
[pid 18433] lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
[pid 18433] lstat("/proc/self", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
[pid 18433] readlink("/proc/self", "18433", 256) = 5
.
[pid 18433] lstat("/proc/18433", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
[pid 18433] lstat("/proc/18433/fd", {st_mode=S_IFDIR|0500, st_size=0, ...}) = 0
[pid 18433] lstat("/proc/18433/fd/0", {st_mode=S_IFLNK|0700, st_size=64, ...}) = 0
[pid 18433] lstat("/proc/18433/fd/0", {st_mode=S_IFLNK|0700, st_size=64, ...}) = 0
[pid 18433] readlink("/proc/18433/fd/0", "socket:[191351]", 64) = 15		 Mauricio Faria de Oliveira <mfo@canonical.com> no debian
CVE-2026-21637.patch tls: route callback exceptions through error handlers
Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.		 Matteo Collina <hello@matteocollina.com> no backport, https://github.com/nodejs/node/commit/85f73e7057e9badf6e7713f7440769375cdb5df5 2025-12-22
CVE-2026-21637_post1.patch tls: wrap SNICallback invocation in try/catch
Wrap the owner._SNICallback() invocation in loadSNI() with try/catch
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This completes the fix from CVE-2026-21637
which added try/catch protection to callALPNCallback,
onPskServerCallback, and onPskClientCallback but missed loadSNI().

Without this fix, a remote unauthenticated attacker can crash any
Node.js TLS server whose SNICallback may throw on unexpected input
by sending a single TLS ClientHello with a crafted server_name value.		 Matteo Collina <hello@matteocollina.com> no https://github.com/nodejs/node/commit/cc3f294507c715908b2b31a5301e295b3de04152 2026-02-17
CVE-2026-21710.patch http: use null prototype for headersDistinct/trailersDistinct
Use { __proto__: null } instead of {} when initializing the
headersDistinct and trailersDistinct destination objects.

A plain {} inherits from Object.prototype, so when a __proto__
header is received, dest["__proto__"] resolves to Object.prototype
(truthy), causing _addHeaderLineDistinct to call .push() on it,
which throws an uncaught TypeError and crashes the process.		 Matteo Collina <hello@matteocollina.com> no https://github.com/nodejs/node/commit/00ad47a28eb2e3dc0ff5610d58c53341acf3cf8d 2026-02-19
CVE-2026-21713.patch crypto: use timing-safe comparison in Web Cryptography HMAC
Use `CRYPTO_memcmp` instead of `memcmp` in `HMAC`
Web Cryptography algorithm implementations.		 Filip Skokan <panva.ip@gmail.com> no https://github.com/nodejs/node/commit/cfb51fa9ce1da2a8c810ec35bcc7c000f8c94fafy 2026-02-20
CVE-2026-21714.patch src: handle NGHTTP2_ERR_FLOW_CONTROL error code RafaelGSS <rafael.nunu@hotmail.com> no https://github.com/nodejs/node/commit/a0c73425da4c95fbcf6c13b7fe8921301290b8e6 2026-03-11

All known versions for source package 'nodejs'

Links