Debian Patches
Status for nodejs/20.19.2+dfsg-1+deb13u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| build/more_shareable_builtins.patch | add acorn, walk to shared builtins | Jérémy Lal <kapouer@melix.org> | yes | 2022-09-28 | ||
| build/builtins_module_paths_not_shareable.patch | disable shared builtins when loading deps on demand This is to avoid preloading potentially missing files. | Jérémy Lal <kapouer@melix.org> | invalid | 2023-12-10 | ||
| build/doc.patch | build doc using marked and js-yaml While waiting for unified/remarked/rehyped modules to be available in debian | Jérémy Lal <kapouer@melix.org> | not-needed | 2021-03-03 | ||
| build/flag_atomic.patch | Link to -latomic by default This avoids surprises on mips*el/ppc*el | Jérémy Lal <kapouer@melix.org> | not-needed | upstream | 2019-10-25 | |
| build/test_ci.patch | adapt tools/test.py * log to stdout * increase timeout multipliers * rename --flaky-tests to --flaky-tests-mode and use --flaky-tests like --skip-tests |
Jérémy Lal <kapouer@melix.org> | not-needed | 2025-02-12 | ||
| deps/cares.patch | keep nodejs compatible with libc-ares public headers | Jérémy Lal <kapouer@melix.org> | not-needed | 2021-10-20 | ||
| deps/localhost-no-addrconfig.patch | do not use dns.ADDRCONFIG for localhost it fails on IPv6-only systems. Setting it with libc fails on linux. https://github.com/nodejs/node/issues/33279 https://lists.debian.org/debian-devel/2023/12/msg00011.html |
Jérémy Lal <kapouer@melix.org> | yes | debian | 2020-06-11 | |
| deps/node_gyp.patch | use system-installed node-gyp for building test modules | Jérémy Lal <kapouer@melix.org> | not-needed | 2015-09-09 | ||
| dfsg/benchmark_without_alice.patch | a test uses a benchmark that read alice.html, dfsg excluded | Jérémy Lal <kapouer@melix.org> | not-needed | 2020-03-04 | ||
| dfsg/multilib_modules.patch | Multiarch search path, arch triplet, DFHS path for modules | "Bastien ROUCARIÈS" <roucaries.bastien@gmail.com> | yes | 2020-03-04 | ||
| dfsg/privacy_breach.patch | remove google font from template.html, and link to local | Jérémy Lal <kapouer@melix.org> | not-needed | 2015-09-09 | ||
| build/skip-buffer-nan-internal-check.patch | skip buffer NaN internal representation check this fails on whatever archs having other internal representations of NaN. | Jérémy Lal <kapouer@melix.org> | yes | 2022-05-02 | ||
| armel/configure.patch | allow vfp2 and allow setting arm_version option | Jérémy Lal <kapouer@melix.org> | yes | 2022-08-29 | ||
| build/doc_template_home.html | fix link to home in html api | Jérémy Lal <kapouer@melix.org> | not-needed | 2022-11-06 | ||
| build/test_process_versions.patch | Use system paths for builtins | Jérémy Lal <kapouer@melix.org> | not-needed | 2023-02-22 | ||
| arm64/stacksize.patch | Harmonize V8 stack sizes on ARM architectures to match almost all other architectures | James Addison <jay@jp-hosting.net> | yes | 2023-02-28 | ||
| build/ada.patch | build using ada upstream tarball component | Jérémy Lal <kapouer@melix.org> | not-needed | 2023-11-30 | ||
| deps/v8-no-static-zlib.patch | compile v8 without zlib static lib it should have a minor performance impact | Jérémy Lal <kapouer@melix.org> | yes | 2023-12-16 | ||
| build/no-deps.patch | skip useless files in build target | Jérémy Lal <kapouer@melix.org> | yes | |||
| sec/10-zlib-fix-pointer-alignment.patch | zlib: fix pointer alignment The function AllocForBrotli prefixes the allocated memory with its size, and returns a pointer to the region after it. This pointer can however no longer be suitably aligned. Correct this by allocating the maximum of the the size of the size_t and the max alignment. On Arm 32bits the size_t is 4 bytes long, but the alignment is 8 for some NEON instructions. When Brotli is compiled with optimizations enabled newer GCC versions will use the NEON instructions and trigger a bus error killing node. see https://github.com/google/brotli/issues/1159 |
jhofstee <jeroen@myspectrum.nl> | no | 2025-04-09 | ||
| sec/12-http2-fix-check-for-frame-type-goaway.patch | http2: fix check for `frame->hd.type` Related to CVE-2025-23085 According to the comment, this should be checking whether `frame->hd.type` is `NGHTTP2_GOAWAY`, i.e. `0x07` and not `0x03`. |
hanguanqiang <hanguanqiang@kylinos.cn> | no | 2025-04-09 | ||
| sec/15-fix-os-getinterface-addresses-leak.patch | os: fix GetInterfaceAddresses memory lieaky | theanarkh <theratliter@gmail.com> | no | 2025-07-06 | ||
| sec/17-fix-possible-dereference-of-null-pointer.patch | src: fix possible dereference of null pointer There is a CHECK_NOT_NULL check before dereferencing node_env on line 710 in the "if" block, but there is no CHECK_NOT_NULL check before dereferencing node_env on line 721. Maybe it makes sense to put CHECK_NOT_NULL right after calling the Environment::GetCurrent function. |
Eusgor <100363036+Eusgor@users.noreply.github.com> | no | 2025-05-30 | ||
| sec/19-v8-fix-missing-callback-in-heap-utils-destroy.patch | v8: fix missing callback in heap utils destroy This fixes the v8.getHeapSnapshot() calls not properly being destroyed. Pipeline calls would for example not properly end without the callback being in place. |
Ruben Bridgewater <ruben.bridgewater@datadoghq.com> | no | 2025-06-30 | ||
| sec/27-v8-loong64-avoid-memory-access-under-stack-pointer.patch | deps: V8: cherry-pick 6b1b9bca2a8 Origin commit message: [loong64][codegen] Avoid memory access under stack pointer According to LoongArch ABI doc chapter 8.2: "Procedures must not assume the persistence on-stack data of which the addresses lie below the stack pointer." Change-Id: I92735e052227495ac9884c4290b57eaffbf905e1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6786372 Auto-Submit: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn> Reviewed-by: Matthias Liedtke <mliedtke@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#101634} |
zhoumingtao <zhoumingtao@loongson.cn> | no | 2025-07-30 | ||
| sec/28-http2-do-not-crash-on-mismatched-ping-buffer-length.patch | http2: do not crash on mismatched ping buffer length | René <contact.9a5d6388@renegade334.me.uk> | no | 2025-10-09 | ||
| sec/29-fix-order-of-check-not-null.patch | src: fix order of CHECK_NOT_NULL/dereference `ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS` may dereference `req_wrap_async`, so `CHECK_NOT_NULL(req_wrap_async)` should be used before and not after. |
Tobias Nießen <tniessen@tnie.de> | no | 2025-08-18 | ||
| sec/33-tls-route-callback-exceptions-through-error-handlers.patch | tls: route callback exceptions through error handlers Wrap pskCallback and ALPNCallback invocations in try-catch blocks to route exceptions through owner.destroy() instead of letting them become uncaught exceptions. This prevents remote attackers from crashing TLS servers or causing resource exhaustion. |
Matteo Collina <hello@matteocollina.com> | no | 2025-12-22 | ||
| sec/34-lib-add-tlssocket-default-error-handler.patch | lib: add TLSSocket default error handler This prevents the server from crashing due to an unhandled rejection when a TLSSocket connection is abruptly destroyed during initialization and the user has not attached an error handler to the socket. e.g: ```js const server = http2.createSecureServer({ ... }) server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` |
RafaelGSS <rafael.nunu@hotmail.com> | no | 2025-10-31 | ||
| sec/35-lib-disable-futimes-when-permission-model-is-enabled.patch | lib: disable futimes when permission model is enabled | RafaelGSS <rafael.nunu@hotmail.com> | no | 2025-10-21 | ||
| sec/36-lib-permission-require-full-read-and-write-to-symlink-apis.patch | lib,permission: require full read and write to symlink APIs | RafaelGSS <rafael.nunu@hotmail.com> | no | 2025-11-10 | ||
| sec/37-rethrow-stack-overflow-exceptions-in-async-hooks.patch | src: rethrow stack overflow exceptions in async_hooks When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. The implementation adds IsStackOverflowError() helper to detect stack overflow RangeErrors and re-throws them in TryCatchScope destructor instead of calling FatalException. This fixes the issue where async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. |
Matteo Collina <hello@matteocollina.com> | no | 2025-12-09 | ||
| sec/38-refactor-unsafe-buffer-creation-to-remove-zero-fill-toggle.patch | src,lib: refactor unsafe buffer creation to remove zero-fill toggle This removes the zero-fill toggle mechanism that allowed JavaScript to control ArrayBuffer initialization via shared memory. Instead, unsafe buffer creation now uses a dedicated C++ API. |
Сковорода | no | 2025-11-07 | ||
| sec/44-v8-riscv-fix-sp-handling-in-macroassembler-leave-frame.patch | deps: V8: backport 6a0a25abaed3 Original commit message: [riscv] Fix sp handling in MacroAssembler::LeaveFrame Keep sp <= fp to ensure that data right above fp doesn't get clobbered by an inopportune signal and its handler. Such clobbering can happen in e.g. Node.js when JIT-compiled code is interrupted by a SIGCHLD handler. Bug: None Change-Id: Ief0836032ada7942e89f081f7605f61632c4d414 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7540554 Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn> Commit-Queue: Yahan Lu (LuYahan) <yahan@iscas.ac.cn> Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@chromium.org> Cr-Commit-Position: refs/heads/main@{#105069} |
Vivian Wang <wangruikang@iscas.ac.cn> | no | 2026-02-03 | ||
| sec/50-crypto-use-timing-safe-comparison-HMAC.patch | crypto: use timing-safe comparison in Web Cryptography HMAC Use `CRYPTO_memcmp` instead of `memcmp` in `HMAC` Web Cryptography algorithm implementations. |
Filip Skokan <panva.ip@gmail.com> | no | 2026-02-20 | ||
| sec/51-fix-array-index-hash-collision.patch | deps,build,test: fix array index hash collision This enables v8_enable_seeded_array_index_hash and add a test for it. Original commit message: implement rapidhash secret generation Bug: 409717082 Change-Id: I471f33d66de32002f744aeba534c1d34f71e27d2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6733490 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: snek <snek@chromium.org> Cr-Commit-Position: refs/heads/main@{#101499} Original commit message: [numbers] Refactor HashSeed as a lightweight view over ByteArray Instead of copying the seed and secrets into a struct with value fields, HashSeed now stores a pointer pointing either into the read-only ByteArray, or the static default seed for off-heap HashSeed::Default() calls. The underlying storage is always 8-byte aligned so we can cast it directly into a struct. Change-Id: I5896a7f2ae24296eb4c80b757a5d90ac70a34866 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7609720 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Joyee Cheung <joyee@igalia.com> Cr-Commit-Position: refs/heads/main@{#105531} Original commit message: [strings] improve array index hash distribution Previously, the hashes stored in a Name's raw_hash_field for decimal numeric strings (potential array indices) consist of the literal integer value along with the length of the string. This means consecutive numeric strings can have consecutive hash values, which can lead to O(n^2) probing for insertion in the worst case when e.g. a non-numeric string happen to land in the these buckets. This patch adds a build-time flag v8_enable_seeded_array_index_hash that scrambles the 24-bit array-index value stored in a Name's raw_hash_field to improve the distribution. x ^= x >> kShift; x = (x * m1) & kMask; // round 1 x ^= x >> kShift; x = (x * m2) & kMask; // round 2 x ^= x >> kShift; // finalize To decode, apply the same steps with the modular inverses of m1 and m2 in reverse order. x ^= x >> kShift; x = (x * m2_inv) & kMask; // round 1 x ^= x >> kShift; x = (x * m1_inv) & kMask; // round 2 x ^= x >> kShift; // finalize where kShift = kArrayIndexValueBits / 2, kMask = kArrayIndexValueMask, m1, m2 (both odd) are the lower bits of the rapidhash secrets, m1_inv, m2_inv (modular inverses) are precomputed modular inverse of m1 and m2. The pre-computed values are appended to the hash_seed ByteArray in ReadOnlyRoots and accessed in generated code to reduce overhead. In call sites that don't already have access to the seeds, we read them from the current isolate group/isolate's read only roots. To consolidate the code that encode/decode these hashes, this patch adds MakeArrayIndexHash/DecodeArrayIndexFromHashField in C++ and CSA that perform seeding/unseeding if enabled, and updates places where encoding/decoding of array index is needed to use them. Bug: 477515021 Change-Id: I350afe511951a54c4378396538152cc56565fd55 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7564330 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Joyee Cheung <joyee@igalia.com> Cr-Commit-Position: refs/heads/main@{#105596} Original commit message: [string] add 3rd round to seeded array index hash Since we already have 3 derived secrets, and arithmetics are relatively cheap, add a 3rd round to the xorshift-multiply seeding scheme. This brings the bias from ~3.4 to ~0.4. Bug: 477515021 Change-Id: I1ef48954bcee8768d8c90db06ac8adb02f06cebf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7655117 Reviewed-by: Chengzhong Wu <cwu631@bloomberg.net> Commit-Queue: Joyee Cheung <joyee@igalia.com> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#105824} |
Joyee Cheung <joyeec9h3@gmail.com> | no | 2026-01-29 | ||
| sec/52-http-use-null-prototype-for-headersDistinct-trailersDistinct.patch | http: use null prototype for headersDistinct/trailersDistinct Use { __proto__: null } instead of {} when initializing the headersDistinct and trailersDistinct destination objects. A plain {} inherits from Object.prototype, so when a __proto__ header is received, dest["__proto__"] resolves to Object.prototype (truthy), causing _addHeaderLineDistinct to call .push() on it, which throws an uncaught TypeError and crashes the process. |
Matteo Collina <hello@matteocollina.com> | no | 2026-02-19 | ||
| sec/53-include-permission-check-on-lib-fs-promises.patch | permission: include permission check on lib/fs/promises | RafaelGSS <rafael.nunu@hotmail.com> | no | 2026-01-05 | ||
| sec/54-add-permission-check-to-realpath-native.patch | permission: add permission check to realpath.native | RafaelGSS <rafael.nunu@hotmail.com> | no | 2026-01-05 | ||
| sec/55-handle-NGHTTP2_ERR_FLOW_CONTROL-error-code.patch | src: handle NGHTTP2_ERR_FLOW_CONTROL error code | RafaelGSS <rafael.nunu@hotmail.com> | no | 2026-03-11 | ||
| sec/56-tls-wrap-SNICallback-invocation-in-try-catch.patch | tls: wrap SNICallback invocation in try/catch Wrap the owner._SNICallback() invocation in loadSNI() with try/catch to route exceptions through owner.destroy() instead of letting them become uncaught exceptions. This completes the fix from CVE-2026-21637 which added try/catch protection to callALPNCallback, onPskServerCallback, and onPskClientCallback but missed loadSNI(). Without this fix, a remote unauthenticated attacker can crash any Node.js TLS server whose SNICallback may throw on unexpected input by sending a single TLS ClientHello with a crafted server_name value. |
Matteo Collina <hello@matteocollina.com> | no | 2026-02-17 |
All known versions for source package 'nodejs'
- 24.14.1+dfsg+~cs24.12.0-1 (experimental)
- 22.22.2+dfsg+~cs22.19.15-1 (sid, forky)
- 20.19.2+dfsg-1+deb13u2 (trixie-security)
- 20.19.2+dfsg-1+deb13u1 (trixie-proposed-updates)
- 20.19.2+dfsg-1 (trixie)
- 18.20.4+dfsg-1~deb12u1 (bookworm-security, bookworm)