Release date:
2026-06-16 12:22:21 UTC
Description:
* SECURITY UPDATE: experimental policy bypass via mainModule.__proto__
- debian/patches/CVE-2023-30581.patch: set the policy-wrapped require on
Module.prototype and assign process.mainModule via setOwnProperty so
process.mainModule.__proto__.require() can no longer load modules not
declared in the policy manifest (backport of nodejs/node d0a8264ec9);
includes the upstream regression test in test/parallel/test-policy-manifest.js
adapted for node 12 (new policy-manifest fixtures)
- CVE-2023-30581
* SECURITY UPDATE: HTTP/2 Rapid Reset denial of service
- debian/patches/CVE-2023-44487.patch: backport the nghttp2 RST_STREAM
rate-limit mitigation into bundled deps/nghttp2 (token-bucket limiter,
default burst 1000 / rate 33, GOAWAY with INTERNAL_ERROR on exhaustion)
so rapidly reset HTTP/2 streams no longer exhaust server resources
(backport of nghttp2 72b4af6, shipped in nghttp2 1.57.0)
- CVE-2023-44487
Updated packages:
-
alt-nodejs12-docs_12.22.12-22_amd64.deb
sha:2fafd9660c1b45b1edd3210eece834ce0a5283d2
-
alt-nodejs12-nodejs_12.22.12-22_amd64.deb
sha:45b187cf583541ed1dba1b0102114f19f2cefb1c
-
alt-nodejs12-nodejs-devel_12.22.12-22_amd64.deb
sha:d4c7df8f441cd22930ec56b77f0b47ec95975ed5
-
alt-nodejs12-npm_6.14.16-12.22.12.22_amd64.deb
sha:707be6b462872cd86af3ba8c900253ce4e0b9641
-
alt-nodejs12-docs_12.22.12-22_arm64.deb
sha:c0db9769b37f77a87d507e48e50fa642222c1c5f
-
alt-nodejs12-nodejs_12.22.12-22_arm64.deb
sha:3711d9416b8e6cfc5920432a342e9660bc514a29
-
alt-nodejs12-nodejs-devel_12.22.12-22_arm64.deb
sha:3fa88499b3c8030c7e34c447ba19dd95108f7898
-
alt-nodejs12-npm_6.14.16-12.22.12.22_arm64.deb
sha:acc094fd509ff1ed1181b750b8bcae9a2e555ac1
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
