ea-nodejs20 (20.20.0-1+1.1.cpanel) stable; urgency=low

  * EA-13314: Update ea-nodejs20 from v20.19.6 to v20.20.0
  * CVE-2025-55132 - HTTP Request Smuggling vulnerability in permission model
  * CVE-2025-59465 - TLSSocket default error handler vulnerability

 -- Cory McIntire <cory.mcintire@webpros.com>  Tue, 13 Jan 2026 00:00:00 -0000

ea-nodejs20 (20.19.6-1) stable; urgency=low

  * EA-13278: Update ea-nodejs20 from v20.19.5 to v20.19.6

 -- Cory McIntire <cory.mcintire@webpros.com>  Tue, 25 Nov 2025 00:00:00 -0000

ea-nodejs20 (20.19.5-1) stable; urgency=low

  * EA-13087: Update ea-nodejs20 from v20.19.4 to v20.19.5

 -- Cory McIntire <cory.mcintire@webpros.com>  Wed, 03 Sep 2025 00:00:00 -0000

ea-nodejs20 (20.19.4-1) stable; urgency=low

  * EA-13026: Update ea-nodejs20 from v20.19.3 to v20.19.4
  * (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

 -- Cory McIntire <cory.mcintire@webpros.com>  Tue, 15 Jul 2025 00:00:00 -0000

ea-nodejs20 (20.19.3-1) stable; urgency=low

  * EA-12943: Update ea-nodejs20 from v20.19.2 to v20.19.3

 -- Cory McIntire <cory.mcintire@webpros.com>  Thu, 26 Jun 2025 00:00:00 -0000

ea-nodejs20 (20.19.2-1) stable; urgency=low

  * EA-12866: Update ea-nodejs20 from v20.19.1 to v20.19.2
  * Improper error handling in async cryptographic operations crashes process (CVE-2025-23166) - (high)
  * Improper HTTP header block termination in llhttp (CVE-2025-23167) - (medium)
  * Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string. (CVE-2025-23165) - (low)

 -- Cory McIntire <cory.mcintire@webpros.com>  Wed, 14 May 2025 00:00:00 -0000

ea-nodejs20 (20.19.1-1) stable; urgency=low

  * EA-12831: Update ea-nodejs20 from v20.19.0 to v20.19.1

 -- Cory McIntire <cory.mcintire@webpros.com>  Thu, 24 Apr 2025 00:00:00 -0000

ea-nodejs20 (20.19.0-1) stable; urgency=low

  * EA-12771: Update ea-nodejs20 from v20.18.3 to v20.19.0

 -- Cory McIntire <cory.mcintire@webpros.com>  Thu, 13 Mar 2025 00:00:00 -0000

ea-nodejs20 (20.18.3-1) stable; urgency=low

  * EA-12692: Update ea-nodejs20 from v20.18.2 to v20.18.3

 -- Cory McIntire <cory.mcintire@webpros.com>  Mon, 10 Feb 2025 00:00:00 -0000

ea-nodejs20 (20.18.2-1) stable; urgency=low

  * EA-12663: Update ea-nodejs20 from v20.18.1 to v20.18.2
  * Worker permission bypass via InternalWorker leak in diagnostics (CVE-2025-23083) - (high)
  * GOAWAY HTTP/2 frames cause memory leak outside heap (CVE-2025-23085) - (medium)
  * Path traversal by drive name in Windows environment (CVE-2025-23084) - (medium)

 -- Cory McIntire <cory@cpanel.net>  Tue, 21 Jan 2025 00:00:00 -0000

ea-nodejs20 (20.18.1-1) stable; urgency=low

  * EA-12565: Update ea-nodejs20 from v20.18.0 to v20.18.1

 -- Cory McIntire <cory@cpanel.net>  Wed, 20 Nov 2024 00:00:00 -0000

ea-nodejs20 (20.18.0-1) stable; urgency=low

  * EA-12444: Update ea-nodejs20 from v20.17.0 to v20.18.0

 -- Cory McIntire <cory@cpanel.net>  Thu, 03 Oct 2024 00:00:00 -0000

ea-nodejs20 (20.17.0-1) stable; urgency=low

  * EA-12348: Update ea-nodejs20 from v20.16.0 to v20.17.0

 -- Cory McIntire <cory@cpanel.net>  Wed, 21 Aug 2024 00:00:00 -0000

ea-nodejs20 (20.16.0-1) stable; urgency=low

  * EA-12306: Update ea-nodejs20 from v20.15.1 to v20.16.0

 -- Cory McIntire <cory@cpanel.net>  Thu, 01 Aug 2024 00:00:00 -0000

ea-nodejs20 (20.15.1-1) stable; urgency=low

  * EA-12264: Update ea-nodejs20 from v20.15.0 to v20.15.1
  * CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
  * CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
  * CVE-2024-22018 - fs.lstat bypasses permission model (Low)
  * CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
  * CVE-2024-37372 - Permission model improperly processes UNC paths (Low)

 -- Cory McIntire <cory@cpanel.net>  Tue, 09 Jul 2024 00:00:00 -0000

ea-nodejs20 (20.15.0-1) stable; urgency=low

  * EA-12240: Update ea-nodejs20 from v20.13.1 to v20.15.0

 -- Cory McIntire <cory@cpanel.net>  Mon, 01 Jul 2024 00:00:00 -0000

ea-nodejs20 (20.13.1-1) stable; urgency=low

  * EA-12140: Update ea-nodejs20 from v20.13.0 to v20.13.1

 -- Cory McIntire <cory@cpanel.net>  Thu, 09 May 2024 00:00:00 -0000

ea-nodejs20 (20.13.0-1) stable; urgency=low

  * EA-12128: Update ea-nodejs20 from v20.12.2 to v20.13.0

 -- Cory McIntire <cory@cpanel.net>  Tue, 07 May 2024 00:00:00 -0000

ea-nodejs20 (20.12.2-1) stable; urgency=low

  * EA-12083: Update ea-nodejs20 from v20.12.1 to v20.12.2
  * Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980) - (HIGH)

 -- Cory McIntire <cory@cpanel.net>  Wed, 10 Apr 2024 00:00:00 -0000

ea-nodejs20 (20.12.1-1) stable; urgency=low

  * EA-12068: Update ea-nodejs20 from v20.12.0 to v20.12.1
  * CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
  * CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)

 -- Cory McIntire <cory@cpanel.net>  Wed, 03 Apr 2024 00:00:00 -0000

ea-nodejs20 (20.12.0-1) stable; urgency=low

  * EA-12050: Update ea-nodejs20 from v20.11.1 to v20.12.0

 -- Cory McIntire <cory@cpanel.net>  Tue, 26 Mar 2024 00:00:00 -0000

ea-nodejs20 (20.11.1-1) stable; urgency=low

  * EA-11975: Update ea-nodejs20 from v20.11.0 to v20.11.1
  * CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
  * CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
  * CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
  * CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
  * CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
  * CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
  * CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
  * CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)

 -- Cory McIntire <cory@cpanel.net>  Wed, 14 Feb 2024 00:00:00 -0000

ea-nodejs20 (20.11.0-1) stable; urgency=low

  * EA-11904: Update ea-nodejs20 from v20.10.0 to v20.11.0

 -- Cory McIntire <cory@cpanel.net>  Wed, 10 Jan 2024 00:00:00 -0000

ea-nodejs20 (20.10.0-1) stable; urgency=low

  * EA-11826: Update ea-nodejs20 from v20.9.0 to v20.10.0

 -- Cory McIntire <cory@cpanel.net>  Wed, 29 Nov 2023 00:00:00 -0000

ea-nodejs20 (20.9.0-1) stable; urgency=low

  * EA-11773: Update ea-nodejs20 from v20.8.1 to v20.9.0

 -- Cory McIntire <cory@cpanel.net>  Thu, 26 Oct 2023 00:00:00 -0000

ea-nodejs20 (20.8.1-1) stable; urgency=low

  * EA-11747: Update ea-nodejs20 from v20.8.0 to v20.8.1

 -- Cory McIntire <cory@cpanel.net>  Mon, 16 Oct 2023 00:00:00 -0000

ea-nodejs20 (20.8.0-1) stable; urgency=low

  * EA-11715: Update ea-nodejs20 from v20.7.0 to v20.8.0
  undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch (High) - (CVE-2023-45143)
  nghttp2 - HTTP/2 Rapid Reset (High) - (CVE-2023-44487)
  Permission model improperly protects against path traversal (High) - (CVE-2023-39331)
  Path traversal through path stored in Uint8Array (High) - (CVE-2023-39332)
  Integrity checks according to policies can be circumvented (Medium) - (CVE-2023-38552)
  Code injection via WebAssembly export names (Low) - (CVE-2023-39333)

 -- Cory McIntire <cory@cpanel.net>  Mon, 02 Oct 2023 00:00:00 -0000

ea-nodejs20 (20.7.0-1) stable; urgency=low

  * EA-11698: Update ea-nodejs20 from v20.6.1 to v20.7.0

 -- Travis Holloway <t.holloway@cpanel.net>  Wed, 20 Sep 2023 00:00:00 -0000

ea-nodejs20 (20.6.1-1) stable; urgency=low

  * EA-11684: Update ea-nodejs20 from v20.6.0 to v20.6.1

 -- Cory McIntire <cory@cpanel.net>  Fri, 15 Sep 2023 00:00:00 -0000

ea-nodejs20 (20.6.0-1) stable; urgency=low

  * EA-11663: Update ea-nodejs20 from v20.5.1 to v20.6.0

 -- Cory McIntire <cory@cpanel.net>  Fri, 08 Sep 2023 00:00:00 -0000

ea-nodejs20 (20.5.1-1) stable; urgency=low

  * ZC-11127: Initial build

 -- Julian Brown <julian.brown@cpanel.net>  Tue, 15 Aug 2023 00:00:00 -0000

