Bug 28445

Summary: nodejs new security issues CVE-2021-22883, CVE-2021-22884
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA8-64-OK
Source RPM: nodejs-14.15.1-3.mga8.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 28481    

Description David Walser 2021-02-26 16:51:55 CET 
Debian has issued an advisory on February 24:
https://www.debian.org/security/2021/dsa-4863

The issues are fixed upstream in 10.24.0 and 14.16.0:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
https://nodejs.org/en/blog/release/v10.24.0/
https://nodejs.org/en/blog/release/v14.16.0/

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-26 16:52:20 CET

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 10.24.0 and 14.16.0

Comment 1 Lewis Smith 2021-02-27 09:20:57 CET 
Assigning to Joseph, registered & active maintainer.

Assignee: bugsquad => joequant

Comment 2 David Walser 2021-02-28 15:03:46 CET 
Mageia 7 update built by Nicolas (Mageia 8 and Cauldron are WIP):
nodejs-10.24.0-10.mga7
nodejs-devel-10.24.0-10.mga7
nodejs-libs-10.24.0-10.mga7
v8-devel-6.8.275.32-10.mga7
npm-6.14.11-1.10.24.0.10.mga7
nodejs-docs-10.24.0-10.mga7

CC: (none) => mageia

Comment 3 Nicolas Lécureuil 2021-02-28 17:15:53 CET 
mga8 rpm is building as we speak.
Comment 4 Nicolas Lécureuil 2021-02-28 18:09:56 CET 
rpms for mageia 8: 

v8-devel-8.4.371.19.mga8-1.mga8
nodejs-14.16.0-1.mga8
nodejs-devel-14.16.0-1.mga8
npm-6.14.11-1.14.16.0.1.mga8
nodejs-docs-14.16.0-1.mga8
nodejs-libs-14.16.0-1.mga8

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Assignee: joequant => qa-bugs

Comment 5 Manuel Hiebel 2021-02-28 19:34:26 CET 
tested nodejs and npm, no issue

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
Blocks: (none) => 28481

Comment 6 Dave Hodgins 2021-02-28 22:38:17 CET 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Mageia Robot 2021-03-01 00:17:56 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0092.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2021-03-01 17:40:08 CET

Status comment: Fixed upstream in 10.24.0 and 14.16.0 => (none)

Comment 8 Thomas Backlund 2021-04-12 15:38:33 CEST 
(In reply to Nicolas Lécureuil from comment #4)
> rpms for mageia 8: 
> 
> v8-devel-8.4.371.19.mga8-1.mga8

Interestingly no-one caught this versioning error

now reported in https://bugs.mageia.org/show_bug.cgi?id=28767