[DLA 4598-1] nodejs security update
ELA-1732-1 gnutls28 security update
[SECURITY] [DLA 4598-1] nodejs security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4598-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
May 24, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : nodejs
Version : 12.22.12~dfsg-1~deb11u8
CVE ID : CVE-2025-59465 CVE-2026-21637 CVE-2026-21714
Multiple vulnerabilities were discovered in Node.js, which could result
in denial of service or information disclosure.
For Debian 11 bullseye, these problems have been fixed in version
12.22.12~dfsg-1~deb11u8.
We recommend that you upgrade your nodejs packages.
For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1732-1 gnutls28 security update (by )
Package : gnutls28
Version : 3.5.8-5+deb9u11 (stretch), 3.6.7-4+deb10u16 (buster)
Related CVEs :
CVE-2026-3833
CVE-2026-5260
CVE-2026-33845
CVE-2026-33846
CVE-2026-42009
CVE-2026-42011
CVE-2026-42012
CVE-2026-42013
CVE-2026-42014
CVE-2026-42015
CVE-2026-3833
Oleh Konko and Joshua Rogers independently discovered that domain
name comparison during name constraints processing was
case-sensitive, thereby violating RFC 5280 §7.2.
For excluded name constraints, this could lead to incorrectly
accepting domain names that should’ve been rejected.
CVE-2026-5260
Joshua Rogers discovered that for a server using an RSA key backed
by a PKCS#11 token, a client sending an extremely short premaster
secret during an RSA key exchange could trigger a short heap
overread.
This vulnerability does not after the GnuTLS version found in
stretch (or any version prior to 3.6.5).
CVE-2026-33845
Joshua Rogers a remotely triggerable underflow in the DTLS
reassembly code leading to a heap overrun.
CVE-2026-33846
Haruto Kimura, Oscar Reparaz and Zou Dikai independently discovered
that GnuTLS failed to properly check that DTLS fragments claimed a
consistent message_length value, and that a missing bound check on
the array was missing, enabling an attacker to cause a heap
overwrite.
CVE-2026-42009
Joshua Rogers discovered that the comparator function used for
ordering DTLS packets by sequence numbers did not follow qsort
comparator contracts in case of packets with duplicate sequence
numbers, which could lead to undefined behaviour.
CVE-2026-42010
Joshua Rogers discovered that servers configured with RSA-PSK
wrongfully matched usernames with NUL character in them to ones
truncated to NUL character, which could lead to an authentication
bypass.
CVE-2026-42011
Haruto Kimura discovered that permitted name constraints were
wrongfully ignored when prior CAs only had excluded name
constraints, resulting in a name constraint bypass.
CVE-2026-42012
Oleh Konko discovered that certificates containing URI or SRV
Subject Alternative Names would fall back to checking DNS hostnames
against Common Name, thereby violating RFC 6125 §6.3. This could
allow potential misuse of such certificates beyond their original
purpose.
Note: This is a breaking change for setups relying on non
RFC6125-compliant behavior such as unconditional CN
fallback or CN fallback with unsupported SAN type.
CVE-2026-42013
Haruto Kimura and Joshua Rogers independently discovered that
validation of certificates with oversized Subject Alternative Names
would fall back to checking DNS hostnames against Common Name.
CVE-2026-42014
Luigino Camastra and Joshua Rogers discovered that changing the
Security Officer PIN with gnutls_pkcs11_token_set_pin() with
oldpin == NULL for a token lacking a protected authentication path
led to a use-after-free.
This vulnerability does not after the GnuTLS version found in
stretch (or any version prior to 3.6.5).
This update also fixes additional security issues for which no CVE ID
was assigned yet:
Joshua Rogers discovered that the OCSP signing EKU OID was compared
without verifying its length, allowing a shorter OID that shares the
same prefix to match.
Haruto Kimura discovered a possible invalid pointer dereference in
the PKCS#11 trust removal error path.
Kamil Frankowicz discovered that gnutls_privkey_verify_params()
overlooked the scenario of p and q not being co-prime. It now
returns GNUTLS_E_PK_INVALID_PRIVKEY in this case.
Joshua Rogers discovered that if gnutls_x509_crt_list_import_pkcs11()
failed partway through, then the trust list cleanup code would try
to free already-deinitialized certificate entries, leading to a
double-free.
Kamil Frankowicz and Joshua Rogers idependently discovered that
insufficient bounds checking on the PEM header length could lead to
short heap overreads on specially crafted inputs.
ELA-1732-1 gnutls28 security update (by )
