Bug 32403

Ready for QA!


ADVISORY NOTICE PROPOSAL
========================
Updated nodejs 18.18.2 packages fix security vulnerabilities


Description
This is a security release. The following CVEs are fixed in this release:

CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.

           
References
https://bugs.mageia.org/show_bug.cgi?id=32403
https://github.com/nodejs/node/releases/tag/v18.18.2
https://github.com/nodejs/node/releases/tag/v18.18.1
https://nodejs.org/en/blog/vulnerability/october-2023-security-releases

SRPMS for MGA9
9/core
nodejs-18.18.2-1.mga9.src.rpm
yarnpkg-1.22.19-14.mga9.src.rpm


PROVIDED PACKAGES:

nodejs-docs-18.18.2-1.mga9
nodejs-libs-18.18.2-1.mga9
nodejs-devel-18.18.2-1.mga9
nodejs-18.18.2-1.mga9
v8-devel-10.2.154.26.mga9-4.mga9
npm-9.8.1-1.18.18.2.1.mga9
yarnpkg-1.22.19-14.mga9

    
PACKAGES FOR QA TESTING
=======================
x86_64:
v8-devel-10.2.154.26.mga9-4.mga9.x86_64.rpm
nodejs-devel-18.18.2-1.mga9.x86_64.rpm
nodejs-18.18.2-1.mga9.x86_64.rpm
npm-9.8.1-1.18.18.2.1.mga9.x86_64.rpm
nodejs-docs-18.18.2-1.mga9.noarch.rpm
nodejs-libs-18.18.2-1.mga9.x86_64.rpm
yarnpkg-1.22.19-14.mga9.noarch.rpm

i586:
v8-devel-10.2.154.26.mga9-4.mga9.i586.rpm
nodejs-devel-18.18.2-1.mga9.i586.rpm
nodejs-18.18.2-1.mga9.i586.rpm
npm-9.8.1-1.18.18.2.1.mga9.i586.rpm
nodejs-docs-18.18.2-1.mga9.noarch.rpm
nodejs-libs-18.18.2-1.mga9.i586.rpm

Assignee: chb0 => qa-bugs

Mageia9, x86_64

$ npm ls -g
/usr/lib
├── corepack@0.18.0
├── npm@9.6.7
└── yarn@1.22.19
$ npm ls
nodejs@ /run/media/lcl/Toshiba/qa/nodejs
├── express@4.18.2
└── print-code@1.0.2
$ npm install abbrev
added 1 package, and audited 70 packages in 723ms
8 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
npm notice 
npm notice New major version of npm available! 9.6.7 -> 10.2.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v10.2.0
npm notice Run npm install -g npm@10.2.0 to update!
npm notice 
$ npm ls
nodejs@ /run/media/lcl/Toshiba/qa/nodejs
├── abbrev@2.0.0
├── express@4.18.2
└── print-code@1.0.2
$ npm search express
NAME                      | DESCRIPTION          | AUTHOR          | DATE       
express                   | Fast,…               | =mikeal…        | 2022-10-08 
express-validator         | Express middleware…  | =ctavan…        | 2023-04-16 
path-to-regexp            | Express style path…  | =blakeembrey…   | 2022-05-06 
express-handlebars        | A Handlebars view…   | =ericf =sahat…  | 2023-08-08 
express-http-proxy        | http proxy…          | =villadora…     | 2023-09-04 
........
$ cat main.js
var http = require("http");

http.createServer(function (request, response) {
   // Send the HTTP header 
   // HTTP Status: 200 : OK
   // Content Type: text/plain
   response.writeHead(200, {'Content-Type': 'text/plain'});
   
   // Send the response body as "Hello World"
   response.end('Hello World\n');
}).listen(8081);

// Console will print the message
console.log('Server running at http://127.0.0.1:8081/');

// $ node main.js
// Check http://localhost:8081/

$ node main.js
Server running at http://127.0.0.1:8081/

Pointing a web browser at http://localhost:8081 shows the "Hello World" message on a new page.

Tred adding a function:
$ cat mydate.js
exports.myDateTime = function () {
  return Date();
}; 
$ cat newbie.js
const http = require('http');
var dt = require('./mydate');
const hostname = '127.0.0.1';
const port = 3000;

const server = http.createServer((req, res) => {
  res.statusCode = 200;
  res.setHeader('Content-Type', 'text/plain');
  res.end('Hello World\n');
});

server.listen(port, hostname, () => {
  console.log(`Server running at http://${hostname}:${port}/`);
});

http.createServer(function (req, res) {
  res.writeHead(200, {'Content-Type': 'text/html'});
  res.write("The date and time are currently: " + dt.myDateTime());
  res.end();
}).listen(8080);

$ node newbie.js
Server running at http://127.0.0.1:3000/

This shows the helloworld page at localhost:3000 and the current date and time on another web page at localhost:8080.

This is pretty basic but I do not intend taking it any further.
Trying an interactive session:
$ node
Welcome to Node.js v18.18.2.
Type ".help" for more information.
> .load newbie.js
const http = require('http');
[...]
> Server running at http://127.0.0.1:3000/
<Checked time at localhost:8080>
.exit

$ node
> a = 77.1
77.1
> a**2
5944.409999999999
> .exit
$ urpmq --whatrequires nodejs | sort -u | grep -v nodejs
csslint
jupyter-jupyterlab
mediawiki
mediawiki-math
mkchromecast
notepadqq
npm
python3-jupyterlab
ruby-execjs
ruby-less
uglify-js
uglify-js1
ycssmin

Nothing there that is familiar territory.
Letting this go since basic tests work.

CC: (none) => tarazed25
Whiteboard: (none) => MGA9-64-OK

Advisory from comment 1 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

I would say there is not a lot required to test this security update within the same branch. If nobody wants to test it quickly from now, I recommend to validate and push it.

Thank you for the input, Christian. Too often QA testers aren't familiar with the package being tested, and can use the advice on how to proceed.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0299.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED