-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 24 Mar 2026 22:11:25 +0100 Source: nodejs Architecture: source Version: 20.19.2+dfsg-1+deb13u2 Distribution: trixie-security Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Jérémy Lal Changes: nodejs (20.19.2+dfsg-1+deb13u2) trixie-security; urgency=medium . * Upstream security patches: + CVE-2026-21713: use timing-safe comparison in Web Cryptography HMAC + CVE-2026-21717: fix array index hash collision + CVE-2026-21710: http: use null prototype for headersDistinct/trailersDistinct + CVE-2026-21716: include permission check on lib/fs/promises + CVE-2026-21715: add permission check to realpath.native + CVE-2026-21714: handle NGHTTP2_ERR_FLOW_CONTROL error code + CVE-2026-21637: tls wrap SNICallback invocation in try/catch * copyright: add rapidhash from sec/51 patch Checksums-Sha1: 42b79ca5ce3cd95f113ca6b9e5e3f2af26f39a71 4410 nodejs_20.19.2+dfsg-1+deb13u2.dsc b4cfc4f31a57aa141ac6f4acf12fd1f2bce56b76 203392 nodejs_20.19.2+dfsg-1+deb13u2.debian.tar.xz a0b5cc839ec45059d5e9b71173b33a18d2714580 11320 nodejs_20.19.2+dfsg-1+deb13u2_source.buildinfo Checksums-Sha256: a3bff34eff175567f923f5936e03c06c416841d92a0597aed13a58e48ccb5ae7 4410 nodejs_20.19.2+dfsg-1+deb13u2.dsc a13e879865bd61c698ad6fdeeb4b18bef46c7a6f6ce5921c70a0f97eb05e266c 203392 nodejs_20.19.2+dfsg-1+deb13u2.debian.tar.xz a1ff2c53433caec2b5730b625f6acdd2c8c5dddd37123fa417b60c9da91778ab 11320 nodejs_20.19.2+dfsg-1+deb13u2_source.buildinfo Files: 2f6ccb9f92e4f6536fb199b0670bc1e3 4410 javascript optional nodejs_20.19.2+dfsg-1+deb13u2.dsc 1ba8a615a4a881221e9e8d136189d381 203392 javascript optional nodejs_20.19.2+dfsg-1+deb13u2.debian.tar.xz bedb9359429bfb0438ebc983d8c37d39 11320 javascript optional nodejs_20.19.2+dfsg-1+deb13u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmnC/hoSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0YVsP/13zZxUHjpA4KzzDrfeLq4Dg7N3v/BZB 2BhujHhg77HJFelvSuG9jJp9Hs2d7UsxxfRn+0+eQ0rzSaY/rMWUr+247myYFSVX jmGbGj7nFbO5sLLqDY+d/wTlqU97SV4nMNQGN6/Fdk9KMVuPwIJrU6/bpwMFqEg/ RKO2rTMa/wb8KFak5GylBPYbmRcBOf08loa+MzBxu9q2t/+8DUyiPHQ9w8wmRMsG bgKhcNjzh/+p0sXe0Iz2OOwdLAc4tp64eNFKgPKHNJeN5PzhkTn+ObpTSO9OkJ/m UU1TU4h1YImnQGHw6/pRVedwvkWvPWqshV5QarU8I2K2X8GHFieVUoLr2XWPWsxD nnDhA4xAF9gZmzWi/JjaCb+esbN2mg7mOjRdA8hbtVuV0XLqQsQNQFyxp0THfAHC s1R85nIT2YgaNkh/C/OtsUfWR+WvyQHdwujE4ETMpCocRVbE2zOJ05buaeLOkifL YYVsYeO1uOzyLbivPU3dHcRbFn6jcPoqSMRcLkjJonE6b8mqGJ/wVIvWUhoBRIDg e4MOCLNwzTWG+2TViegtvEfCDpM1WRFhbORYXcYp8zdOJpg3Flo62otuRKlGq4c0 6V1g4VBsiATUvPcFBY7gHxflLN9SZN8BFtMcBM5O3uBfigfwyRm3Sj1aFVBqRwVC babfPpAb+n/N =y8mX -----END PGP SIGNATURE-----