Bug 31559

Christian looks to be the active maintainer for nodejs, so assigning this to you. lavache indeed!

Assignee: bugsquad => chb0

Hi
For the record:
MGA9 -> 18.14.1
MGA8 -> 14.21.3

The blog post in Comment 0 has been updated with the CVEs.

CVE-2023-23918 and CVE-2023-23920 affect Mageia 8.

Release announcements:
https://nodejs.org/en/blog/release/v14.21.3/
https://nodejs.org/en/blog/release/v18.14.1/

Summary: nodejs new security issues fixed upstream in 18.14.1 => nodejs new security issues fixed upstream in 18.14.1 (CVE-2023-2391[89], CVE-2023-23936, CVE-2023-24807, CVE-2023-23920)

Ready for QA

ADVISORY NOTICE PROPOSAL
========================
Updated nodejs packages fix security vulnerability


Description
The following CVEs are fixed in this release:

CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.

This security release includes OpenSSL security updates as outlined in the recent
OpenSSL security advisory.

This security release also includes an npm update for Node.js 14 to address a number
of CVEs which either do not affect Node.js or are low severity in the context of Node.js. You
can get more details for the individual CVEs in nodejs-dependency-vuln-assessments.

           
References
https://bugs.mageia.org/show_bug.cgi?id=31559
https://github.com/nodejs/node/releases/tag/v14.21.3
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
https://www.openssl.org/news/secadv/20230207.txt



SRPMS
8/core
nodejs-14.21.3-1.mga8.src.rpm


PROVIDED PACKAGES:

nodejs-docs-14.21.3-1.mga8
nodejs-libs-14.21.3-1.mga8
nodejs-devel-14.21.3-1.mga8
nodejs-14.21.3-1.mga8
v8-devel-8.4.371.23.1.mga8-7.mga8
npm-6.14.17-1.14.21.3.1.mga8

    
PACKAGES FOR QA TESTING
=======================
x86_64:

nodejs-docs-14.21.3-1.noarch.rpm
nodejs-libs-14.21.3-1.mga8.x86_64.rpm
nodejs-devel-14.21.3-1.mga8.x86_64.rpm
nodejs-14.21.3-1.mga8.x86_64.rpm
v8-devel-8.4.371.23.1.mga8-7.mga8.x86_64.rpm
npm-6.14.18-1.14.21.3.1.mga8.x86_64.rpm


i586:

nodejs-docs-14.21.3-1.noarch.rpm
nodejs-libs-14.21.3-1.mga8i586.rpm
nodejs-devel-14.21.3-1.mga8i586.rpm
nodejs-14.21.3-1.mga8i586.rpm
v8-devel-8.4.371.23.1.mga8-7.mga8i586.rpm
npm-6.14.18-1.14.21.3.1.mga8i586.rpm

Using QARepo:
nodejs-docs-14.21.3-1.noarch.rpm not found in the remote repository
v8-devel-8.4.371.23.1.mga8-7.mga8.x86_64.rpm not found in the remote repository

CC: (none) => herman.viaene

Sorry, spelling mistakes... Should be better with:

PACKAGES FOR QA TESTING
=======================
x86_64:

nodejs-docs-14.21.3-1.mga8.noarch.rpm
nodejs-libs-14.21.3-1.mga8.x86_64.rpm
nodejs-devel-14.21.3-1.mga8.x86_64.rpm
nodejs-14.21.3-1.mga8.x86_64.rpm
v8-devel-8.4.371.23.mga8-7.mga8.x86_64.rpm
npm-6.14.18-1.14.21.3.1.mga8.x86_64.rpm


i586:

nodejs-docs-14.21.3-1.mga8.noarch.rpm
nodejs-libs-14.21.3-1.mga8.i586.rpm
nodejs-devel-14.21.3-1.mga8.i586.rpm
nodejs-14.21.3-1.mga8.i586.rpm
v8-devel-8.4.371.23.mga8-7.mga8.i586.rpm
npm-6.14.18-1.14.21.3.1.mga8.i586.rpm

mageia8, x86_64
Prior to updating I installed most of the packages. 
$ sudo urpmi v8-devel
The following package cannot be installed because it depends on packages
that are older than the installed ones:
v8-devel-8.4.371.23.1.mga8-6.1.mga8
Continue installation anyway? (Y/n) 

This is looking familiar.  I forget how it was sorted out before.
$ rpm -qa | grep nodejs
nodejs-chownr-2.0.0-1.mga8
nodejs-tar-6.0.5-1.1.mga8
nodejs-devel-14.21.3-1.mga8
nodejs-minipass-3.1.3-2.mga8
nodejs-packaging-23-3.mga8
nodejs-safe-buffer-5.1.2-3.mga8
nodejs-yallist-4.0.0-1.mga8
nodejs-libs-14.21.3-1.mga8
nodejs-fs-minipass-2.0.1-2.mga8
nodejs-docs-14.21.3-1.mga8
nodejs-minizlib-2.1.2-2.mga8
nodejs-14.21.3-1.mga8
nodejs-mkdirp-1.0.4-2.mga8
nodejs-minimist-1.2.7-1.mga8

No v8 packages on the system.

CC: (none) => tarazed25

Hi. The subrel used for the previous release has tricked me...

There is an update now in core/updates_testing

Ready for QA!

PACKAGES FOR QA TESTING
=======================
x86_64:

v8-devel-8.4.371.23.1.mga8-7.1.mga8.x86_64.rpm
nodejs-devel-14.21.3-2.1.mga8.x86_64.rpm
nodejs-14.21.3-2.1.mga8.x86_64.rpm
npm-6.14.18-1.14.21.3.2.1.mga8.x86_64.rpm
nodejs-docs-14.21.3-2.1.mga8.noarch.rpm
nodejs-libs-14.21.3-2.1.mga8.x86_64.rpm

i586:

v8-devel-8.4.371.23.1.mga8-7.1.mga8.i586.rpm
nodejs-devel-14.21.3-2.1.mga8.i586.rpm
nodejs-14.21.3-2.1.mga8.i586.rpm
npm-6.14.18-1.14.21.3.2.1.mga8.i586.rpm
nodejs-docs-14.21.3-2.1.mga8.noarch.rpm
nodejs-libs-14.21.3-2.1.mga8.i586.rpm

Assignee: chb0 => qa-bugs

Yes, it works now.  All packages updated fine.

Referred to previous bug 30887 for testing.
Removed the previous modules.

$ npm ls -g
/usr/lib
├── corepack@0.15.1
└─┬ npm@6.14.18
  ├── abbrev@1.1.1
  ├── ansicolors@0.3.2
[...]

$ npm ls
displayed a stream of error messages of this type:
npm ERR! missing: mime-types@2.1.35, required by type-is@1.6.18

$ npm install express

A number of warnings and error messages were displayed, ending up with:

+ express@4.18.2
added 57 packages from 42 contributors and audited 57 packages in 7.46s

7 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm ls 
displayed a tree containing the newly installed modules.

$ npm search express
NAME                      | DESCRIPTION          | AUTHOR          | DATE       
express                   | Fast,…               | =mikeal…        | 2022-10-08 
express-handlebars        | A Handlebars view…   | =ericf =sahat…  | 2023-01-25 
cors                      | Node.js CORS…        | =dougwilson…    | 2018-11-04 
path-to-regexp            | Express style path…  | =blakeembrey…   | 2022-05-06 
connect-redis             | Redis session store… | =tjholowaychuk… | 2023-02-28 
....

$ node helloworld.js
Hello World!

$ node main.js
Server running at http://127.0.0.1:8081/

'Hello World'
showed in a browser at that URL.

The REPL works for simple arithmetic:
$ node --print-code
Welcome to Node.js v14.21.3.
Type ".help" for more information.
> a = 4
4
> b=22.3
22.3
> a*b
89.2

Tried exit to leave - response was a code listing :
[...]
0xcee1e248fdb  deopt inlining id  (-1)
0xcee1e248fdb  deopt reason  ((unknown))
0xcee1e248fdb  deopt index
0xcee1e248fe3  runtime entry  (lazy deoptimization bailout)

--- End code ---
it
Uncaught ReferenceError: exit is not defined
> 

> .load main.js
var http = require("http");
 
http.createServer(function (request, response) {
   // Send the HTTP header 
      // HTTP Status: 200 : OK
         // Content Type: text/plain
            response.writeHead(200, {'Content-Type': 'text/plain'});
               
                  // Send the response body as "Hello World"
                     response.end('Hello World\n');
                     }).listen(8081);
                     
 [...]
<During this session port 8081 opened in a browser displaying 'Hello World'>
> .save session
Session saved to: session
> .exit

$ cat session
repeated all of the above except the error report for 'exit'.
$ urpmq --whatrequires nodejs | sort -u | grep -v nodejs
jupyter-jupyterlab
npm
python3-jupyterlab
ruby-execjs
uglify-js1
ycssmin

Leaving it there.  npm has been running fine.  There appears to be a ruby binding for javascript - might investigate that sometime.

Giving this the green light.

Whiteboard: (none) => MGA8-64-OK

Validating. Advisory in comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0078.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED