Release date:
2026-06-12 09:05:37 UTC
Description:
* SECURITY UPDATE: memory leak in Node.js OpenSSL integration (CVE-2025-59464)
- X509Name::Iterator::operator*() allocated a UTF-8 buffer via
ASN1_STRING_to_UTF8() for each X.509 name field and returned without
freeing it; reachable from JS via socket.getPeerCertificate(true), a
remote peer opening repeated TLS connections drives unbounded memory
growth -> remote Denial of Service
- debian/patches/CVE-2025-59464.patch: copy the converted buffer into a
local std::string and OPENSSL_free() it before returning (matches the
upstream fix present in node >= 24.12.0; 23.x is EOL with no upstream
release carrying it)
- CVE-2025-59464
Updated packages:
-
alt-nodejs23-docs_23.11.1-15_amd64.deb
sha:fa08ee055ace441cea1b45906204a8929b271dde
-
alt-nodejs23-nodejs_23.11.1-15_amd64.deb
sha:c0af823016d2a06c612fe947b5305f0fe66c1e99
-
alt-nodejs23-nodejs-devel_23.11.1-15_amd64.deb
sha:316010368440c5ee97e45ed7aeb0a3765c01fc66
-
alt-nodejs23-npm_10.9.2-23.11.1.15_amd64.deb
sha:4fe2124ff3f82dab672e9e5288267a57513a173d
-
alt-nodejs23-docs_23.11.1-15_arm64.deb
sha:6d12232f7ad5c062881c60360d344a4cade507b4
-
alt-nodejs23-nodejs_23.11.1-15_arm64.deb
sha:c60c1df89f708d51c54105e731eab4b1fef2053e
-
alt-nodejs23-nodejs-devel_23.11.1-15_arm64.deb
sha:a798841ce0bec69b1493f51b0ca6e65e6a58238d
-
alt-nodejs23-npm_10.9.2-23.11.1.15_arm64.deb
sha:453d67b37f973a6380bbd7b468a1075d6a78db64
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
