| Summary: | updated Nodejs 18.19.1 fixes CVE-2024-21892 CVE-2024-22019 CVE-2023-46809 CVE-2024-22025 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | christian barranco <chb0> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | nodejs-18.18.2-1.mga9.src.rpm,yarnpkg-1.22.19-14.mga9.src.rpm | CVE: | CVE-2024-21892,CVE-2024-22019,CVE-2023-46809,CVE-2024-22025 |
| Status comment: | |||
|
Description
christian barranco
2024-02-17 08:24:27 CET
christian barranco
2024-02-17 08:24:52 CET
CVE:
(none) =>
CVE-2024-21892,CVE-2024-22019,CVE-2023-46809,CVE-2024-22025 ADVISORY NOTICE PROPOSAL
========================
Updated nodejs 18.19.1 packages fix security vulnerabilities
Description
This is a security release. The following CVEs are fixed in this release:
CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
More detailed information on each of the vulnerabilities can be found in february 2024 Security Releases blog post.
also, the following is updated:
undici version 5.28.3
npm version 10.2.4
yarn package is then updated to 1.12.21 and built with npm 10.2.4
References
https://bugs.mageia.org/show_bug.cgi?id=32861
https://github.com/nodejs/node/releases/tag/v18.19.1
https://github.com/nodejs/node/releases/tag/v18.19.0
https://github.com/yarnpkg/yarn/releases/tag/v1.22.21
https://github.com/yarnpkg/yarn/releases/tag/v1.22.20
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22025
SRPMS for MGA9
9/core
nodejs-18.19.1-1.mga9.src.rpm
yarnpkg-1.22.21-0.10.2.4.1.mga9.src.rpm
PACKAGES FOR QA TESTING
=======================
x86_64:
v8-devel-10.2.154.26.mga9-5.mga9.x86_64.rpm
nodejs-devel-18.19.1-1.mga9.x86_64.rpm
nodejs-18.19.1-1.mga9.x86_64.rpm
npm-10.2.4-1.18.19.1.1.mga9.x86_64.rpm
nodejs-docs-18.19.1-1.mga9.noarch.rpm
nodejs-libs-18.19.1-1.mga9.x86_64.rpm
yarnpkg-1.22.21-0.10.2.4.1.mga9.noarch.rpm
i586:
v8-devel-10.2.154.26.mga9-5.mga9.i586.rpm
nodejs-devel-18.19.1-1.mga9.i586.rpm
nodejs-18.19.1-1.mga9.i586.rpm
npm-10.2.4-1.18.19.1.1.mga9.i586.rpm
nodejs-docs-18.19.1-1.mga9.noarch.rpm
nodejs-libs-18.19.1-1.mga9.i586.rpm
yarnpkg-1.22.21-0.10.2.4.1.mga9.noarch.rpm
katnatek
2024-02-17 17:27:50 CET
Keywords:
(none) =>
advisory
christian barranco
2024-02-17 17:38:30 CET
CC:
(none) =>
herman.viaene Tested in real hardware mageia 9 x86_64
I have MLO repositories so I get in previous update the mlo version of this packages
installing nodejs-18.19.1-1.mga9.x86_64.rpm npm-10.2.4-1.18.19.1.1.mga9.x86_64.rpm nodejs-libs-18.19.1-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ###################################################################################################
1/3: nodejs-libs ###################################################################################################
2/3: npm ###################################################################################################
3/3: nodejs ###################################################################################################
1/3: removing nodejs-1:18.19.1-0.squidf.mlo9.x86_64
###################################################################################################
2/3: removing npm-1:10.2.4-1.18.19.1.0.squidf.mlo9.x86_64
###################################################################################################
3/3: removing nodejs-libs-1:18.19.1-0.squidf.mlo9.x86_64
###################################################################################################
I don't know if this count as valid test because we used to test the update from mageia packages to mageia packages
Thanks katnatek for your test. It is exactly the same packages between MLO and MGA. I put it first in MLO to test it and to build signal-desktop with it. The installation should not be an issue. What is more important is to test the package itself. One way to test it is to follow: https://bugs.mageia.org/show_bug.cgi?id=29872#c15 CC:
(none) =>
tarazed25 npm ls -g /usr/lib ├── corepack@0.22.0 └── npm@10.2.4 I test the server.js in https://nodejs.org/en/learn/getting-started/introduction-to-nodejs node server.js Server running at http://127.0.0.1:3000/ Open the link in my browser, i seee Hello World (In reply to katnatek from comment #5) > npm ls -g > /usr/lib > ├── corepack@0.22.0 > └── npm@10.2.4 > > I test the server.js in > https://nodejs.org/en/learn/getting-started/introduction-to-nodejs > > node server.js > Server running at http://127.0.0.1:3000/ > > Open the link in my browser, i seee > > Hello World Success ;) Search on other bugs npm install express added 64 packages, and audited 75 packages in 4s 12 packages are looking for funding run `npm fund` for details found 0 vulnerabilities npm install print-code added 10 packages in 4s npm notice npm notice New minor version of npm available! 10.2.4 -> 10.4.0 npm notice Changelog: https://github.com/npm/cli/releases/tag/v10.4.0 npm notice Run npm install -g npm@10.4.0 to update! npm notice I try reproduce https://bugs.mageia.org/show_bug.cgi?id=32047#c17 node --print-code but i get 0x7f4269bab054 full embedded object (0x38c3999d8839 <String[10]: #objectMode>) 0x7f4269bab062 runtime entry 0x7f4269bab06f runtime entry 0x7f4269bab0ac full embedded object (0x222f547455f9 <String[6]: #length>) 0x7f4269bab0ba runtime entry 0x7f4269bab0c8 runtime entry 0x7f4269bab0d2 full embedded object (0x222f547455f9 <String[6]: #length>) 0x7f4269bab0e0 runtime entry 0x7f4269bab0e9 runtime entry 0x7f4269bab10a full embedded object (0x222f54744861 <String[6]: #buffer>) 0x7f4269bab118 runtime entry 0x7f4269bab126 full embedded object (0x06e5f3e028c9 <String[7]: #unshift>) 0x7f4269bab134 runtime entry 0x7f4269bab14c runtime entry 0x7f4269bab168 full embedded object (0x222f54744861 <String[6]: #buffer>) 0x7f4269bab176 runtime entry 0x7f4269bab184 full embedded object (0x06e5f3e02899 <String[4]: #push>) 0x7f4269bab192 runtime entry 0x7f4269bab1aa runtime entry 0x7f4269bab1b4 full embedded object (0x161d1103e311 <String[5]: #state>) 0x7f4269bab1c2 runtime entry 0x7f4269bab1e8 full embedded object (0x38c3999d8681 <String[13]: #kNeedReadable>) 0x7f4269bab1ff runtime entry 0x7f4269bab20e runtime entry 0x7f4269bab222 runtime entry 0x7f4269bab264 runtime entry 0x7f4269bab28e runtime entry 0x7f4269bab2a6 runtime entry Each type but once I press enter the result of operation is correct, what you think christian barranco?
katnatek
2024-02-22 01:55:13 CET
CC:
(none) =>
andrewsfarm OK I repeat but this time just run node instead of node --print-code And not get all the extra output in terminal, so I guess is a sort of debug mod? (In reply to katnatek in comment 8) Yes, the extra output is the underlying code-stream, probably useful to developers and bug-spotters. Hi. Sorry, I have been busy to try to find a way to get a direction for Chromium. I confirm Len's analysis. On my side, I have been using this nodejs version without any issue to build signal-desktop. As it is a security update, I advise to give the ok rather quickly now. I let to Thomas the validation Whiteboard:
(none) =>
MGA9-64-OK Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0046.html Status:
NEW =>
RESOLVED |