Overview

File _patchinfo of Package patchinfo.39308

<patchinfo incident="39308">
  <issue tracker="bnc" id="1243220">VUL-0: CVE-2025-23167: nodejs: llhttp: improper HTTP header block termination in llhttp</issue>
  <issue tracker="bnc" id="1239949">nodejs22 built without PIE</issue>
  <issue tracker="bnc" id="1243218">VUL-0: CVE-2025-23166: nodejs: improper error handling in async cryptographic operations crashes process</issue>
  <issue tracker="bnc" id="1243217">VUL-0: CVE-2025-23165: nodejs: corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo&lt;Value&gt;&amp; args) when args[0] is a string</issue>
  <issue tracker="cve" id="2025-23166"/>
  <issue tracker="cve" id="2025-23167"/>
  <issue tracker="cve" id="2025-23165"/>
  <packager>adamm</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for nodejs20</summary>
  <description>This update for nodejs20 fixes the following issues:

Update to 20.19.2:

- CVE-2025-23166: improper error handling in async cryptographic operations crashes process (bsc#1243218).
- CVE-2025-23167: improper HTTP header block termination in llhttp (bsc#1243220).
- CVE-2025-23165: add missing call to uv_fs_req_cleanup (bsc#1243217).

Other bugfixes:

- Build with PIE (bsc#1239949)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places