Bug 32176

ADVISORY NOTICE PROPOSAL
========================
Updated nodejs 18.17.1 packages fix security vulnerabilities


Description
This is a security release. As well, it fixes v8 headers detection (mga#28809)

The following CVEs are fixed in this release:

    CVE-2023-32002: Policies can be bypassed via Module._load (High)
    CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
    CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
    OpenSSL Security Releases
        OpenSSL security advisory 14th July.
        OpenSSL security advisory 19th July.
        OpenSSL security advisory 31st July

More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.

           
References
https://bugs.mageia.org/show_bug.cgi?id=32176
https://bugs.mageia.org/show_bug.cgi?id=28809
https://github.com/nodejs/node/releases/tag/v18.17.1
https://github.com/nodejs/node/releases/tag/v18.17.0



SRPMS for MGA8
8/core
nodejs-18.17.1-1.mga8.src.rpm

SRPMS for MGA9
9/core
nodejs-18.17.1-1.mga9.src.rpm



PROVIDED PACKAGES FOR MGA8:

nodejs-docs-18.17.1-1.mga8
nodejs-libs-18.17.1-1.mga8
nodejs-devel-18.17.1-1.mga8
nodejs-18.17.1-1.mga8
v8-devel-10.2.154.26.mga8-3.mga8
npm-9.6.7-1.18.17.1.1.mga8


PROVIDED PACKAGES FOR MGA9:

nodejs-docs-18.17.1-1.mga9
nodejs-libs-18.17.1-1.mga9
nodejs-devel-18.17.1-1.mga9
nodejs-18.17.1-1.mga9
v8-devel-10.2.154.26.mga9-3.mga9
npm-9.6.7-1.18.17.1.1.mga9

    
PACKAGES FOR QA TESTING
=======================
MGA8 x86_64:
v8-devel-10.2.154.26.mga8-3.mga8.x86_64.rpm
nodejs-devel-18.17.1-1.mga8.x86_64.rpm
nodejs-18.17.1-1.mga8.x86_64.rpm
npm-9.6.7-1.18.17.1.1.mga8.x86_64.rpm
nodejs-docs-18.17.1-1.mga8.noarch.rpm
nodejs-libs-18.17.1-1.mga8.x86_64.rpm

MGA8 i586:
v8-devel-10.2.154.26.mga8-3.mga8.i586.rpm
nodejs-devel-18.17.1-1.mga8.i586.rpm
nodejs-18.17.1-1.mga8.i586.rpm
npm-9.6.7-1.18.17.1.1.mga8.i586.rpm
nodejs-docs-18.17.1-1.mga8.noarch.rpm
nodejs-libs-18.17.1-1.mga8.i586.rpm



MGA9 x86_64:
v8-devel-10.2.154.26.mga9-3.mga9.x86_64.rpm
nodejs-devel-18.17.1-1.mga9.x86_64.rpm
nodejs-18.17.1-1.mga9.x86_64.rpm
npm-9.6.7-1.18.17.1.1.mga9.x86_64.rpm
nodejs-docs-18.17.1-1.mga9.noarch.rpm
nodejs-libs-18.17.1-1.mga9.x86_64.rpm

MGA9 i586:
v8-devel-10.2.154.26.mga9-3.mga9.i586.rpm
nodejs-devel-18.17.1-1.mga9.i586.rpm
nodejs-18.17.1-1.mga9.i586.rpm
npm-9.6.7-1.18.17.1.1.mga9.i586.rpm
nodejs-docs-18.17.1-1.mga9.noarch.rpm
nodejs-libs-18.17.1-1.mga9.i586.rpm

Ready for QA!

Assignee: chb0 => qa-bugs

I can't get to blog.nodejs.org because of SSL_ERROR_RX_RECORD_TOO_LONG, but there should also be an upstream advisory there to include in the references.

(In reply to David Walser from comment #3)
> I can't get to blog.nodejs.org because of SSL_ERROR_RX_RECORD_TOO_LONG, but
> there should also be an upstream advisory there to include in the references.

This one?
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases

Yep.

Severity: normal => critical

MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 32047 for testing:
$ npm ls -g
/usr/lib
├── corepack@0.18.0
└── npm@9.6.7

$ npm ls
/home/tester8/Documents/testnodejs
└── (empty)

$ npm install express

added 58 packages in 15s

8 packages are looking for funding
  run `npm fund` for details
npm notice 
npm notice New minor version of npm available! 9.6.7 -> 9.8.1
npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.8.1
npm notice Run npm install -g npm@9.8.1 to update!
npm notice 

$ npm ls
testnodejs@ /home/tester8/Documents/testnodejs
└── express@4.18.2

$ npm install express5
npm WARN deprecated string-similarity@4.0.4: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

added 47 packages, and audited 106 packages in 22s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ ls node_modules
 abstract-logging/          fast-decode-uri-component/    lru-cache/                reusify/
 accepts/                   fast-deep-equal/              media-typer/              rfdc/
 ajv/                      '@fastify'/                    merge-descriptors/        safe-buffer/
 archy/                     fastify/                      methods/                  safer-buffer/
 array-flatten/             fast-json-stable-stringify/   mime/                     safe-regex2/
 atomic-sleep/              fast-json-stringify/          mime-db/                  secure-json-parse/
 avvio/                     fastq/                        mime-types/               semver/
 body-parser/               fast-redact/                  ms/                       semver-store/
 bytes/                     fast-safe-stringify/          negotiator/               send/
 call-bind/                 finalhandler/                 object-inspect/           serve-static/
 content-disposition/       find-my-way/                  on-finished/              set-cookie-parser/
 content-type/              flatstr/                      parseurl/                 setprototypeof/
 cookie/                    forwarded/                    path-to-regexp/           side-channel/
 cookie-signature/          fresh/                        pino/                     sonic-boom/
 debug/                     function-bind/                pino-std-serializers/     statuses/
 deepmerge/                 get-intrinsic/                process-warning/          string-similarity/
 depd/                      has/                          proxy-addr/               tiny-lru/
 destroy/                   has-proto/                    punycode/                 toidentifier/
 ee-first/                  has-symbols/                  qs/                       type-is/
 encodeurl/                 http-errors/                  queue-microtask/          unpipe/
 escape-html/               iconv-lite/                   quick-format-unescaped/   uri-js/
 etag/                      inherits/                     range-parser/             utils-merge/
 express/                   ipaddr.js/                    raw-body/                 vary/
 express5/                  json-schema-traverse/         require-from-string/      yallist/
 fast-content-type-parse/   light-my-request/             ret/
[tester8@mach7 testnodejs]$ node main.js
Different from before, I get no feedback on the CLI, but
Checked http://localhost:8081
Hello World
<displayed in browser>

$ npm install print-code

added 10 packages, and audited 116 packages in 9s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ node --print-code
<dumps code stream to the terminal>
and from here I deviate from bug 32047 in a way the after every first character of a command, I get a dump of code, when continuing the command, I get the correct result.
nodejs seems to work ut in some other camplicated way than before ????

CC: (none) => herman.viaene

The package will need to be resubmitted to the build system as it
is not in updates testing for m9.

Keywords: (none) => feedback
Version: Cauldron => 9
CC: (none) => davidwhodgins

(In reply to Herman Viaene from comment #6)
> 
> $ node --print-code
> <dumps code stream to the terminal>
> and from here I deviate from bug 32047 in a way the after every first
> character of a command, I get a dump of code, when continuing the command, I
> get the correct result.
> nodejs seems to work ut in some other camplicated way than before ????

If you run node instead of node --print-code , all the verification procedure works fine.
Only thing is you should type .load main.js instead of .load main.js;

I don't know why the semicolon should now be removed. 
I am not familiar either with what --print-code is for. Actually, I have found nothing about it on the node man page and on the web?


(In reply to Dave Hodgins from comment #7)
> The package will need to be resubmitted to the build system as it
> is not in updates testing for m9.
Ok, I resubmit it.

Hi
I had to resubmit both MGA9 and Cauldron.

MGA9 is ready for QA.

I rebuilt yarnpkg to use the updated npm. Should I add it to the list of packages in the Advisory?

Keywords: feedback => (none)

Yes

Everything is now ready for QA validation.


ADVISORY NOTICE PROPOSAL (UPDATE)
========================
Updated nodejs 18.17.1 packages fix security vulnerabilities


Description
This is a security release. As well, it fixes v8 headers detection (mga#28809)

The following CVEs are fixed in this release:

    CVE-2023-32002: Policies can be bypassed via Module._load (High)
    CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
    CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
    OpenSSL Security Releases
        OpenSSL security advisory 14th July.
        OpenSSL security advisory 19th July.
        OpenSSL security advisory 31st July

More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.

           
References
https://bugs.mageia.org/show_bug.cgi?id=32176
https://bugs.mageia.org/show_bug.cgi?id=28809
https://github.com/nodejs/node/releases/tag/v18.17.1
https://github.com/nodejs/node/releases/tag/v18.17.0



SRPMS for MGA8
8/core
nodejs-18.17.1-1.mga8.src.rpm

SRPMS for MGA9
9/core
nodejs-18.17.1-1.mga9.src.rpm
yarnpkg-1.22.19-13.mga9.src.rpm


PROVIDED PACKAGES FOR MGA8:

nodejs-docs-18.17.1-1.mga8
nodejs-libs-18.17.1-1.mga8
nodejs-devel-18.17.1-1.mga8
nodejs-18.17.1-1.mga8
v8-devel-10.2.154.26.mga8-3.mga8
npm-9.6.7-1.18.17.1.1.mga8


PROVIDED PACKAGES FOR MGA9:

nodejs-docs-18.17.1-1.mga9
nodejs-libs-18.17.1-1.mga9
nodejs-devel-18.17.1-1.mga9
nodejs-18.17.1-1.mga9
v8-devel-10.2.154.26.mga9-3.mga9
npm-9.6.7-1.18.17.1.1.mga9
yarnpkg-1.22.19-13.mga9

    
PACKAGES FOR QA TESTING
=======================
MGA8 x86_64:
v8-devel-10.2.154.26.mga8-3.mga8.x86_64.rpm
nodejs-devel-18.17.1-1.mga8.x86_64.rpm
nodejs-18.17.1-1.mga8.x86_64.rpm
npm-9.6.7-1.18.17.1.1.mga8.x86_64.rpm
nodejs-docs-18.17.1-1.mga8.noarch.rpm
nodejs-libs-18.17.1-1.mga8.x86_64.rpm

MGA8 i586:
v8-devel-10.2.154.26.mga8-3.mga8.i586.rpm
nodejs-devel-18.17.1-1.mga8.i586.rpm
nodejs-18.17.1-1.mga8.i586.rpm
npm-9.6.7-1.18.17.1.1.mga8.i586.rpm
nodejs-docs-18.17.1-1.mga8.noarch.rpm
nodejs-libs-18.17.1-1.mga8.i586.rpm



MGA9 x86_64:
v8-devel-10.2.154.26.mga9-3.mga9.x86_64.rpm
nodejs-devel-18.17.1-1.mga9.x86_64.rpm
nodejs-18.17.1-1.mga9.x86_64.rpm
npm-9.6.7-1.18.17.1.1.mga9.x86_64.rpm
nodejs-docs-18.17.1-1.mga9.noarch.rpm
nodejs-libs-18.17.1-1.mga9.x86_64.rpm
yarnpkg-1.22.19-13.mga9.noarch.rpm

MGA9 i586:
v8-devel-10.2.154.26.mga9-3.mga9.i586.rpm
nodejs-devel-18.17.1-1.mga9.i586.rpm
nodejs-18.17.1-1.mga9.i586.rpm
npm-9.6.7-1.18.17.1.1.mga9.i586.rpm
nodejs-docs-18.17.1-1.mga9.noarch.rpm
nodejs-libs-18.17.1-1.mga9.i586.rpm

Repeating tests as above Comments 6 and taking remarks of Comment 8 into account, now getting the same results as in bug 32047.
So good to go.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Thanks Herman
What is still required to push this security update?

Nothing from me, I OK'ed it.

Herman, did you test m9 as well or does that still need to be done?

No, my laptop can run only one version at the time.

m9 x86_64. Installed npm, nodejs and nodejs-libs. Used qarepo to make the
x86_64 packages from comment 11 available and installed the updates.

Updates installed cleanly. Repeated tests from comment 6 with same results.
Validating the update.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0264.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Hi. For MGA9, you need also to push yarnpkg.
Thanks

(In reply to christian barranco from comment #19)
> Hi. For MGA9, you need also to push yarnpkg.
> Thanks

If this bug depends on that, i think it should be reopened.

If not, create a separate bug.

CC: (none) => fri

Hi Morgan
It had already been added to the source field. 
Isn’t it enough?

Comments 9 and 10 have mentioned it + advisory

Yes, you're right Christian.  It just will need to be added to the SVN advisory.

- MID AIR COLISSION -

Ah now i understand.

yarnpkg-1.22.19-13.mga9.noarch.rpm is still in core/updates_testing/
- for both i586 and x86_64

But other packages got pushed.

Advisory is correct.

So some fail on script or manual handling.

This bug is marked fixed, indicating nothing more to be done.

Reopening to get yarnpkg-1.22.19-13.mga9.noarch.rpm moved - for both i586 and x86_64

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Thanks Morgan

As the advisory might have not been clear enough for yarnpkg, here is an update:

ADVISORY NOTICE PROPOSAL (UPDATE)
========================
yarnpkg package rebuilt with npm 9.6.7


Description
yarpnkg package rebuilt with npm 9.6.7, after updating to nodejs 18.17.1

           
References
https://bugs.mageia.org/show_bug.cgi?id=32176


SRPMS
9/core
yarnpkg-1.22.19-13.mga9.src.rpm



PROVIDED PACKAGES:
yarnpkg-1.22.19-13.mga9

    
PACKAGES FOR QA TESTING
=======================
MGA9
yarnpkg-1.22.19-13.mga9.noarch.rpm

(In reply to christian barranco from comment #25)
> Thanks Morgan
> 
> As the advisory might have not been clear enough for yarnpkg, here is an
> update:
> 
> ADVISORY NOTICE PROPOSAL (UPDATE)
> ========================
> yarnpkg package rebuilt with npm 9.6.7
> 
> 
> Description
> yarpnkg package rebuilt with npm 9.6.7, after updating to nodejs 18.17.1
> 
>            
> References
> https://bugs.mageia.org/show_bug.cgi?id=32176
> 
> 
> SRPMS
> 9/core
> yarnpkg-1.22.19-13.mga9.src.rpm
> 
> 
> 
> PROVIDED PACKAGES:
> yarnpkg-1.22.19-13.mga9
> 
>     
> PACKAGES FOR QA TESTING
> =======================
> MGA9
> yarnpkg-1.22.19-13.mga9.noarch.rpm

Sorry, I find it too confusing to add this to the advisory, now that updated nodejs has already been released. I'll create a new bug report, upload a new advisory asap with only this in it and will tag it as validated_update

CC: (none) => marja11

*** Bug 32341 has been marked as a duplicate of this bug. ***

Just add yarnpkg to the SRPMS list in the SVN advisory.  The advisory text should not need to be changed.

(In reply to David Walser from comment #28)
> Just add yarnpkg to the SRPMS list in the SVN advisory.  The advisory text
> should not need to be changed.

Done, only wrote modejs in the commit message :-(

(In reply to David Walser from comment #28)
> Just add yarnpkg to the SRPMS list in the SVN advisory.  The advisory text
> should not need to be changed.

(In reply to Marja Van Waes from comment #29)
> (In reply to David Walser from comment #28)
> > Just add yarnpkg to the SRPMS list in the SVN advisory.  The advisory text
> > should not need to be changed.
> 
> Done, only wrote modejs in the commit message :-(

https://svnweb.mageia.org/advisories/32176.adv?r1=14987&r2=15011

So why doesn't it work?

Neoclust has pushed updates twice since I added that line. However yarnpkg still isn't in updates http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/9/SRPMS/core/updates/

Nicolas, could you please move yarnpkg to updates?

CC: (none) => mageia

should be OK now.

I confirm yarnpkg-1.22.19-13.mga9.noarch.rpm is now on updates.
What is the next step? Close as fixed?

Yep.  Thanks Nicolas!

Thanks all!

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED