Bug 25314

Summary: nodejs new security issues fixed upstream in 10.22.1 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174, CVE-2020-8252)
Product: Mageia Reporter: Stig-Ørjan Smelror <smelror>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, luigiwalser, mageia, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: nodejs-10.15.3-8.mga7.src.rpm CVE: CVE-2019-951[1-8], CVE-2019-1677[5-7]
Status comment:
Bug Depends on: 26725    
Bug Blocks: 26711    
Attachments: test file for "Hello World"

Description Stig-Ørjan Smelror 2019-08-16 11:18:06 CEST 
Several security issues found in NodeJS before versions 8.16.1 and 10.16.3

CVE-2019-95[11-18]
https://github.com/nodejs/node/releases/tag/v10.16.3
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
Stig-Ørjan Smelror 2019-08-16 11:18:37 CEST

CVE: (none) => CVE-2019-95[11-18]
Summary: nodejs new security issues fixed upstream in 10.16.3 => nodejs new security issues fixed upstream in 10.16.3 CVE-2019-95[11-18]
Whiteboard: (none) => MGA7TOO

Comment 1 Stig-Ørjan Smelror 2019-08-17 15:10:32 CEST 
Cauldron updated to version 10.16.3

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

David Walser 2019-08-18 16:27:12 CEST

Summary: nodejs new security issues fixed upstream in 10.16.3 CVE-2019-95[11-18] => nodejs new security issues fixed upstream in 10.16.3 (CVE-2019-951[1-8])
CVE: CVE-2019-95[11-18] => CVE-2019-951[1-8]

Comment 2 David Walser 2019-12-23 22:45:38 CET 
Fedora has issued an advisory for this on August 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/

Source RPM: (none) => nodejs-10.15.3-8.mga7.src.rpm

Comment 3 David Walser 2020-01-24 18:35:01 CET 
Fedora has issued an advisory today (January 24):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/

The issues are fixed upstream in 10.18.0 and 12.14.0:
https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/
https://nodejs.org/en/blog/year-2019/

Newest bugfix versions are 10.18.1 and 12.14.1:
https://nodejs.org/en/blog/release/v10.18.1/
https://nodejs.org/en/blog/release/v12.14.1/

More security updates will be coming on February 4:
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

Summary: nodejs new security issues fixed upstream in 10.16.3 (CVE-2019-951[1-8]) => nodejs new security issues fixed upstream in 10.18.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7])
CVE: CVE-2019-951[1-8] => CVE-2019-951[1-8], CVE-2019-1677[5-7]
Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron

Comment 4 David Walser 2020-02-20 22:25:02 CET 
Fedora has issued an advisory on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RYHQQ4HSGBFYOHBZHBTUQNIJY5MBL63G/

The issues are fixed upstream in 10.19.0 and 12.15.0:
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

CC: (none) => luigiwalser
Summary: nodejs new security issues fixed upstream in 10.18.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7]) => nodejs new security issues fixed upstream in 10.19.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6])

Comment 6 Nicolas Lécureuil 2020-05-27 23:35:55 CEST 
i update nodejs to the latest 10.x release to fix all the known CVE

CC: (none) => mageia

Comment 7 Nicolas Lécureuil 2020-05-27 23:49:48 CEST 
from: nodejs-10.20.1-8.mga7


sorry, i forgot to reset release :)
Nicolas Lécureuil 2020-05-27 23:54:06 CEST

Assignee: smelror => qa-bugs

Comment 8 David Walser 2020-05-28 01:45:19 CEST 
We have 12.16.3 in Cauldron, so we're good there.

Version: Cauldron => 7
Assignee: qa-bugs => mageia
Whiteboard: MGA7TOO => (none)

Comment 9 David Walser 2020-05-28 01:48:31 CEST 
Build error in Mageia 7 is:
../src/node_http2.cc: In constructor 'node::http2::Http2Options::Http2Options(node::Environment*, node::http2::nghttp2_session_type)':
../src/node_http2.cc:156:5: error: 'nghttp2_option_set_max_outbound_ack' was not declared in this scope
     nghttp2_option_set_max_outbound_ack(options_, 10000);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/node_http2.cc:156:5: note: suggested alternative: 'nghttp2_option_set_no_auto_ping_ack'
     nghttp2_option_set_max_outbound_ack(options_, 10000);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This function was added to the nghttp2 API in 1.39.2:
https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2

So we might as well update to the newest 1.40.0:
https://github.com/nghttp2/nghttp2/releases/tag/v1.40.0

As SOS pointed out on IRC, we should probably update libuv too.
Comment 10 David Walser 2020-05-28 17:19:43 CEST 
Reminder to Nicolas that you should probably update libuv too.

nghttp2 update is done:
nghttp2-1.40.0-1.mga7
libnghttp2_14-1.40.0-1.mga7
libnghttp2-devel-1.40.0-1.mga7

from nghttp2-1.40.0-1.mga7.src.rpm

Nicolas is close on the nodejs build.
Nicolas Lécureuil 2020-05-29 01:00:29 CEST

Assignee: mageia => qa-bugs

Comment 11 David Walser 2020-05-29 02:43:30 CEST 
Nodejs update built.  Feedback marker set because of no libuv update.

nodejs-10.20.1-8.mga7
nodejs-devel-10.20.1-8.mga7
nodejs-libs-10.20.1-8.mga7
v8-devel-6.8.275.32-8.mga7
npm-6.14.4-1.10.20.1.8.mga7
nodejs-docs-10.20.1-8.mga7

from nodejs-10.20.1-8.mga7.src.rpm

Keywords: (none) => feedback

Comment 12 David Walser 2020-05-29 03:17:13 CEST 
First draft of advisory.

Advisory:
========================

Updated nodejs packages fix security vulnerabilities:

The nodejs package has been updated to the latest version in the 10.x branch,
which is 10.20.1 at this time.  It fixes several security issues and other
bugs.  See the upstream changelog and advisories for details.

Also, the nghttp2 package has been updated to the latest version, 1.40.0, as
the latest nodejs requires an API that was added in nghttp2 1.39.2.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
https://github.com/nodejs/node/blob/v10.x/doc/changelogs/CHANGELOG_V10.md
https://github.com/nghttp2/nghttp2/releases/
Comment 13 David Walser 2020-06-03 21:25:42 CEST 
We need to update again to nodejs 10.21.0 and nghttp2 1.41.0:
CVE-2020-8174 (nodejs) CVE-2020-11080 (nghttp2)
https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
https://github.com/nodejs/node/blob/v10.x/doc/changelogs/CHANGELOG_V10.md
https://nghttp2.org/blog/2020/06/02/nghttp2-v1-41-0/
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr

CVE-2020-10531 was already fixed in icu.

Keywords: feedback => (none)
Summary: nodejs new security issues fixed upstream in 10.19.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6]) => nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174) and nghttp2 issue CVE-2020-11080
CC: (none) => qa-bugs
Source RPM: nodejs-10.15.3-8.mga7.src.rpm => nodejs-10.15.3-8.mga7.src.rpm, nghttp2-1.38.0-1.2.mga7.src.rpm
Assignee: qa-bugs => mageia

Comment 14 Stig-Ørjan Smelror 2020-06-03 21:28:26 CEST 
I've already pushed an update to nghttp2 1.40.0 for mga7.

https://bugs.mageia.org/show_bug.cgi?id=26725
Comment 15 David Walser 2020-06-03 21:36:54 CEST 
nghttp2 update moved to Bug 26725.

Depends on: (none) => 26725
Summary: nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174) and nghttp2 issue CVE-2020-11080 => nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174)
Source RPM: nodejs-10.15.3-8.mga7.src.rpm, nghttp2-1.38.0-1.2.mga7.src.rpm => nodejs-10.15.3-8.mga7.src.rpm

Comment 16 David Walser 2020-06-03 22:31:31 CEST 
Also don't forget to update libuv.  I don't think nodejs specifies in their advisories which if any of the security issues are actually fixed in their bundled libuv.
Comment 17 Nicolas Lécureuil 2020-06-04 00:02:31 CEST 
libuv updated to 1.34.2

from: libuv-1.34.2-1.mga7
Comment 18 David Walser 2020-06-04 00:07:36 CEST 
libuv1-1.34.2-1.mga7
libuv-devel-1.34.2-1.mga7
libuv-static-devel-1.34.2-1.mga7

from libuv-1.34.2-1.mga7.src.rpm
David Walser 2020-09-08 17:54:03 CEST

Blocks: (none) => 26711

Comment 19 Nicolas Salguero 2020-09-24 09:28:08 CEST 
Hi,

There is a new security issue (CVE-2020-8252) found in NodeJS 10.x:
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

Best regards,

Nico.

CC: (none) => nicolas.salguero
Summary: nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174) => nodejs new security issues fixed upstream in 10.22.1 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174, CVE-2020-8252)

Comment 20 David Walser 2020-09-24 15:33:17 CEST 
New issue fixed in 10.22.1:
https://nodejs.org/en/blog/release/v10.22.1/

Advisory:
========================

Updated nodejs packages fix security vulnerabilities:

The nodejs package has been updated to the latest version in the 10.x branch,
which is 10.22.1 at this time.  It fixes several security issues and other
bugs.  See the upstream changelog and advisories for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8252
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
https://github.com/nodejs/node/blob/v10.x/doc/changelogs/CHANGELOG_V10.md
https://github.com/nghttp2/nghttp2/releases/
========================

Updated packages in core/updates_testing:
========================
libuv1-1.34.2-1.mga7
libuv-devel-1.34.2-1.mga7
libuv-static-devel-1.34.2-1.mga7
nodejs-10.22.1-9.mga7
nodejs-devel-10.22.1-9.mga7
nodejs-libs-10.22.1-9.mga7
v8-devel-6.8.275.32-9.mga7
npm-6.14.6-1.10.22.1.9.mga7
nodejs-docs-10.22.1-9.mga7

from SRPMS:
libuv-1.34.2-1.mga7.src.rpm
nodejs-10.22.1-9.mga7.src.rpm

CC: qa-bugs => (none)
Assignee: mageia => qa-bugs

Comment 21 Herman Viaene 2020-09-26 14:58:56 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 21330 Comment 51 for testing
$ node main.js 
Server running at http://127.0.0.1:8081/
point browser to http://localhost:8081/ shows "Hello World"
So OK.
Will attach the main.js file.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 22 Herman Viaene 2020-09-26 14:59:58 CEST 
Created attachment 11889 [details]
test file for "Hello World"
Aurelien Oudelet 2020-09-26 17:54:47 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 23 Mageia Robot 2020-09-27 22:07:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0372.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 24 David Walser 2020-10-13 19:48:04 CEST 
This update also fixed CVE-2020-15095 in npm:
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html