Changelog
nodejs (18.13.0+dfsg1-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Adapt testsuite failures in test-crypto-dh since OpenSSL 3.0.12/3.1.4
(Closes: #1055416).
* Adapt testsuite failures due TLSv < 1.1 available only at seclevel 0
(Closes: #1052470).
* CVE-2023-23919 (Node.js OpenSSL error handling issues in nodejs crypto
library). (Closes: #1031834).
* CVE-2023-23920 (Node.js insecure loading of ICU data through ICU_DATA
environment variable) (Closes: #1031834).
* CVE-2023-30590 (DiffieHellman do not generate keys after setting a private
key) (Closes: #1039990).
* CVE-2023-30589 (HTTP Request Smuggling via Empty headers separated by CR)
(Closes: #1039990).
* CVE-2023-30588 (Process interuption due to invalid Public Key information
in x509 certificates) (Closes: #1039990).
* CVE-2023-32559 (Permissions policies can be bypassed via process.binding)
(Closes: #1050739).
* CVE-2023-30581 (mainModule.proto bypass experimental policy mechanism)
(Closes: #1039990).
* CVE-2023-32002 (Permissions policies can be bypassed via Module._load)
(Closes: #1050739).
* CVE-2023-32006 (Permissions policies can impersonate other modules in
using module.constructor.createRequire()) (Closes: #1050739).
* CVE-2023-38552 (Integrity checks according to policies can be
circumvented) (Closes: #1054892).
* CVE-2023-39333 (Code injection via WebAssembly export names)
(Closes: #1054892).
-- Sebastian Andrzej Siewior <email address hidden> Wed, 22 Nov 2023 18:15:44 +0100