Bug 29365

Summary: nodejs new security issues CVE-2021-2293[19], CVE-2021-22940, CVE-2021-37701, CVE-2021-3771[23], CVE-2021-3913[45]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: nodejs-14.17.4-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-08-12 13:58:39 CEST 
Nodejs has issued an advisory on August 11:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/

The issues are fixed upstream in 14.17.5:
https://nodejs.org/en/blog/release/v14.17.5/

Mageia 8 is also affected.
David Walser 2021-08-12 13:58:55 CEST

Status comment: (none) => Fixed upstream in 14.17.5
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-08-27 17:38:13 CEST 
On August 31 there will be another security update:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/
Comment 2 David Walser 2021-08-31 19:35:46 CEST 
(In reply to David Walser from comment #1)
> On August 31 there will be another security update:
> https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/

This advisory is now live.  Issues are fixed upstream in 14.17.6:
https://nodejs.org/en/blog/release/v14.17.6/

Summary: nodejs new security issues CVE-2021-2293[19] and CVE-2021-22940 => nodejs new security issues CVE-2021-2293[19], CVE-2021-22940, CVE-2021-37701, CVE-2021-3771[23], CVE-2021-3913[45]
Status comment: Fixed upstream in 14.17.5 => Fixed upstream in 14.17.6

Comment 3 Nicolas Lécureuil 2021-09-24 10:30:02 CEST 
fixed in mga8

src:
    - nodejs-14.17.6-1.mga8

version 16.10.0 is in WIP for cauldron.

Assignee: mageia => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 14.17.6 => (none)
Version: Cauldron => 8

Comment 4 David Walser 2021-09-24 16:51:37 CEST 
nodejs-14.17.6-1.mga8
nodejs-docs-14.17.6-1.mga8
nodejs-libs-14.17.6-1.mga8
nodejs-devel-14.17.6-1.mga8
npm-6.14.15-1.14.17.6.1.mga8
v8-devel-8.4.371.23.mga8-1.mga8

from nodejs-14.17.6-1.mga8.src.rpm
Comment 5 Herman Viaene 2021-10-05 16:25:38 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues
ref bug 29028 Comment 8 for test
at CLI

$ cd Documenten
$ node main.js 
Server running at http://127.0.0.1:8081/
Then pointing browser to it displays "Hello world"
OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2021-10-05 16:52:37 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-10-06 19:23:52 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-10-06 21:43:18 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0463.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED