Release date:
2026-06-12 13:31:01 UTC
Description:
* SECURITY UPDATE: memory leak in Node.js OpenSSL integration (CVE-2025-59464)
- X509Name::Iterator::operator*() allocated a UTF-8 buffer via
ASN1_STRING_to_UTF8() for each X.509 name field and returned without
freeing it; reachable from JS via socket.getPeerCertificate(true), a
remote peer opening repeated TLS connections drives unbounded memory
growth -> remote Denial of Service
- debian/patches/CVE-2025-59464.patch: copy the converted buffer into a
local std::string and OPENSSL_free() it before returning (matches the
upstream fix present in node >= 24.12.0; 23.x is EOL with no upstream
release carrying it)
- CVE-2025-59464
Updated packages:
-
alt-nodejs23-docs_23.11.1-15_amd64.deb
sha:fa08ee055ace441cea1b45906204a8929b271dde
-
alt-nodejs23-nodejs_23.11.1-15_amd64.deb
sha:72cc2fa9be3a7b5ea2670da7a78a071226163259
-
alt-nodejs23-nodejs-devel_23.11.1-15_amd64.deb
sha:ee01ce9ce2710f1fc262b7b2aead4ed2eec515fb
-
alt-nodejs23-npm_10.9.2-23.11.1.15_amd64.deb
sha:4fe2124ff3f82dab672e9e5288267a57513a173d
-
alt-nodejs23-docs_23.11.1-15_arm64.deb
sha:6d12232f7ad5c062881c60360d344a4cade507b4
-
alt-nodejs23-nodejs_23.11.1-15_arm64.deb
sha:1cadd6a1c3743d821444b463d33321d25173465d
-
alt-nodejs23-nodejs-devel_23.11.1-15_arm64.deb
sha:74765bd748fe83d08f9473854bb446de8ed101c1
-
alt-nodejs23-npm_10.9.2-23.11.1.15_arm64.deb
sha:453d67b37f973a6380bbd7b468a1075d6a78db64
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
