-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 18 Jun 2026 12:53:48 +0200 Source: nodejs Architecture: source Version: 24.17.0+dfsg+~cs24.13.2-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <[email protected]> Changed-By: Jérémy Lal <[email protected]> Changes: nodejs (24.17.0+dfsg+~cs24.13.2-1) unstable; urgency=medium . * New upstream version 24.17.0+dfsg+~cs24.13.2 This release addresses the following vulnerabilities: + CVE-2026-48930: dns,net: reject hostnames with embedded NUL bytes + CVE-2026-48931: http: fix response queue poisoning in http.Agent + CVE-2026-48619: http2: cap originSet size to prevent unbounded memory growth + CVE-2026-48615: lib,test: redact proxy credentials in tunnel errors + CVE-2026-48935: permission: disable FileHandle utimes with permission model + CVE-2026-48617: permission: handle process.chdir on writereport + CVE-2026-48934: tls: bind reusable sessions to authenticated host + CVE-2026-48928: tls: fix case-sensitive SNI context matching + CVE-2026-48618: tls: normalize hostname for server identity checks * Reenable nghttp tests, as this release supports latest version. Checksums-Sha1: 466405664d3fae385015b21ef36aa9ca194bc5c2 4587 nodejs_24.17.0+dfsg+~cs24.13.2-1.dsc 81f71df0adfc58c21b9f7bb5eeed7091853b79a1 340352 nodejs_24.17.0+dfsg+~cs24.13.2.orig-types-node.tar.xz 0e7a7b39357127782101b1a8437b61f4148713cb 23125400 nodejs_24.17.0+dfsg+~cs24.13.2.orig.tar.xz 946fa690b78d8c8f03ca986992a512c888fa53ea 163252 nodejs_24.17.0+dfsg+~cs24.13.2-1.debian.tar.xz 38842675af77221f95383026e38d038c6fd07d52 11633 nodejs_24.17.0+dfsg+~cs24.13.2-1_source.buildinfo Checksums-Sha256: 653ee6f7d38edf78e951994b4c077d8b307fa00663dfb372553972d2f2d6c7fa 4587 nodejs_24.17.0+dfsg+~cs24.13.2-1.dsc f5285177d503800627fb7d28552120ac070f2b15a86fc08f75fed51235ab497b 340352 nodejs_24.17.0+dfsg+~cs24.13.2.orig-types-node.tar.xz 9367d57733283a7c98b364776372dde57f11922ac614fca17e02af057f60efcf 23125400 nodejs_24.17.0+dfsg+~cs24.13.2.orig.tar.xz c21bc80b7ac04cae8b50af783b546f6b5ab06c73faf5f660b3cc2675b6ea79d4 163252 nodejs_24.17.0+dfsg+~cs24.13.2-1.debian.tar.xz 1ca40624b0ad3d424a3ab4115df0a63720c433bc1c21e6b648fabf402163bf55 11633 nodejs_24.17.0+dfsg+~cs24.13.2-1_source.buildinfo Files: 4fa85498ddfb4f8f3448390255763043 4587 javascript optional nodejs_24.17.0+dfsg+~cs24.13.2-1.dsc 8512c52aa1e65320e4cefc03e4543e2d 340352 javascript optional nodejs_24.17.0+dfsg+~cs24.13.2.orig-types-node.tar.xz 04731c40662e8e1f23e161736ccb9443 23125400 javascript optional nodejs_24.17.0+dfsg+~cs24.13.2.orig.tar.xz e2be47cc0c90e81a2288b59c0ced8960 163252 javascript optional nodejs_24.17.0+dfsg+~cs24.13.2-1.debian.tar.xz f4c79595a9b1c10d36cd5939a1455e19 11633 javascript optional nodejs_24.17.0+dfsg+~cs24.13.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmozzzUSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0/O0P/AuRBrvYSR/xbdTitKQeZF22Nyy65aBp 9jsmeREf2YkNA2NuSIwhAuGJ85CDfTNAi56vjMR1X7DF9SXl64A4z/3mtlhF33T9 l5bsjG8TjuOFDijfRI+bBNrocjBnYqmF/U+eCgGLOaHnlJjnr2swrLjJkiA8hPCs AVR6ep5X6beRf8MdCWRvB0CfgzLz+wvrxmolpv3d49P+Zy7MLFF81jvvwKHbgJwV uxzTph4iu9SWpS8Uzo3cLZrrIQcBRLt6WvKodx4nwPid6XX80NIfj+ikACp1Lfbb qGQ/2ixyR6G2JOV0XzRLQuM/NgRWITO2Z+AWJNS0DVYn9uQtRr+SwzUbTLt4TI7t RjZo/kmOOoH6SLYlwA4hLLokLTe2j3mgOM3lFOMaE2tj/Wgt0yFEyPPlBGCdiKzv 6fbUJPy2QEVcNfYQBhptru4wHpROAZpOC1U7MtUgsGqWxzZsgbaRBTR4guEv4ozn t3zTMuJsP3QP8vUSgMJFKe734Dot4bQOANkwPFVRUL216zaSnodin6I0wGQ498nh vfO/FTpN/VE+p9jParpQSCk2NTDCq1ZCqXsRasyBN1ltMrzGz14fKdj+pMWpHTkn ggJtgQUMcPT+aWFTQ0/coNgpIdn5389NXqZI7pyl28//QTKz43EJnLb3u6Z9IIBt NYoKsn2rcTOA =1VCt -----END PGP SIGNATURE-----
pgpqIwFBk9PZ7.pgp
Description: PGP signature
