Debian alert DLA-4067-1 (nodejs)

From:
             
 
rouca@debian.org
To:
             
 
<debian-lts-announce@lists.debian.org>
Subject:
             
 
[SECURITY] [DLA 4067-1] nodejs security update
Date:
             
 
Tue, 25 Feb 2025 11:25:07 +0000
Message-ID:
             
 
<6e14fc3ed1c8e5adfa4b3efa0c2edb6d@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4067-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
February 25, 2025                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : nodejs
Version        : 12.22.12~dfsg-1~deb11u6
CVE ID         : CVE-2025-23085
Debian Bug     : 1094134

Node.js a JavaScript runtime environment was affected by a vulnerability.

A memory leak could occur when a remote peer abruptly closes the socket
without sending a GOAWAY notification. Additionally, if an invalid header
was detected by nghttp2, causing the connection to be terminated by the peer,
the same leak was triggered. This flaw could lead to
increased memory consumption and potential denial of service under
certain conditions.

For Debian 11 bullseye, this problem has been fixed in version
12.22.12~dfsg-1~deb11u6.

We recommend that you upgrade your nodejs packages.

For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAme9qJMACgkQADoaLapB
CF+4kw/+KhHnvmhVbAVMLNikypqJ9rYEIzgAifav7AIv2bBxBnR5z7nb/knSdrVb
g5TWYm9IX5DLhaTWPNOA5nkwos7sMaTxDygWZkwYKCXsyZpo+CW5MFh/hCd3zXkA
zqff9UAZgVx77zASheUauOMF25BVfKuqWXgAFXj5aVOMaIT8FtwfxOAkfr7x6lbD
W1YG+QFqzax9jcpU3qg/bAXs83y5NYHfUV7dk49Cb0u142ZESxo3XA6RRQUMncIz
HG3jXiJ/fFVdJs5zWvBmEk8y6rD7ALQJ1sTLzMclcNYHBR8wTDoPg/J+iPPNisQA
b9RuvzNeTchgy+bfeeXNsynmeLeSfpj2TNwzWg4uiITxroYiooKvzCCyzn7kepDv
V1ffHMeKWOE2SL1wJlZNxiW5XulBF6B96SW5ZlS2sr9/DGBZMywB6Z2p5FZ7Ixx4
l6siH0lFjnr1tXzPTpkX+zGXPYckZQwkk0/x7G6ZSiiOfNX2ILsLcai3h2Oc8PMl
BSjsrBO7DP1a2iv5jPg5l83PRQBWT9Keh5qlcOB28j1XanwFOHOevtCApMyHZM1i
ArO7I582aSFz3BzsVlLxkzqp+UmYgHs8aoxIrkVyNs4n3BaAZkLEXbTNmuztZrh+
NUe7UQcqNQIcCjFWR/TBthCT+8WaZ7V7lI5YhctfulrCBztsc9Y=
=h9hx
-----END PGP SIGNATURE-----