Bug 21330 - nodejs new security issues fixed upstream in 6.17.1
Summary: nodejs new security issues fixed upstream in 6.17.1
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
: 22094 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-07-23 21:47 CEST by David Walser
Modified: 2019-07-28 01:02 CEST (History)
8 users (show)

See Also:
Source RPM: nodejs-6.10.3-2.mga6.src.rpm
CVE:
Status comment:


Attachments
Exploratory notes on V8 and the nodejs disposition. (2.32 KB, text/plain)
2019-06-09 18:26 CEST, Len Lawrence
Details

Description David Walser 2017-07-23 21:47:10 CEST
Fedora has issued an advisory today (July 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2AXESDBS3WP5K4PFYD3EMDD3R662MMG6/

This follows from the upstream advisory on July 11:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/

For 6.x, the issues were fixed in 6.11.1:
https://nodejs.org/en/blog/release/v6.11.1/

Mageia 5 and Mageia 6 are also affected.

0.10.x is no longer supported, so we should recommend users upgrade to Mageia 6.
David Walser 2017-07-23 21:47:18 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Nicolas Lécureuil 2017-07-26 18:36:54 CEST
6.11.1 pushed in updates_testing
and pushed in cauldron too

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Nicolas Lécureuil 2017-07-26 18:37:03 CEST

Assignee: mageia => qa-bugs

Comment 2 David Walser 2017-07-26 22:21:14 CEST
Assigning back to Nicolas.  Neither update built successfully.

Assignee: qa-bugs => mageia
Whiteboard: (none) => MGA6TOO
CC: (none) => qa-bugs
Version: 6 => Cauldron

Comment 3 Nicolas Lécureuil 2017-07-27 00:34:19 CEST
let's validate this  the cauldron package will be pushed when rpm will be fixed, it is on my todo, i won't forget.


src.rpm http-parser-2.7.1-1.mga6 and nodejs-6.11.1-1.1.mga6

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Nicolas Lécureuil 2017-07-27 00:34:30 CEST

Assignee: mageia => qa-bugs

Comment 4 David Walser 2017-07-27 01:57:49 CEST
Advisory:
========================

Updated nodejs packages fix security vulnerabilities:

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable
seed was constant across a given released version of Node.js. This was a result
of building with V8 snapshots enabled by default which caused the initially
randomized seed to be overwritten on startup (CVE-2017-11499).

Parsing of NAPTR responses by the bundled c-ares library could be triggered to
read memory outside of the given input buffer through carefully crafted DNS
response packets (CVE-2017-1000381).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
https://nodejs.org/en/blog/release/v6.11.1/
========================

Updated packages in core/updates_testing:
========================
libhttp-parser2-2.7.1-1.mga6
libhttp-parser-devel-2.7.1-1.mga6
nodejs-6.11.1-1.1.mga6
nodejs-devel-6.11.1-1.1.mga6
npm-3.10.10-1.6.11.1.1.mga6
nodejs-docs-6.11.1-1.1.mga6

from SRPMS:
http-parser-2.7.1-1.mga6.src.rpm
nodejs-6.11.1-1.1.mga6.src.rpm
David Walser 2017-07-27 01:58:07 CEST

CC: qa-bugs => (none)

Comment 5 David Walser 2017-07-29 23:18:52 CEST
Nicolas is working on fixing dependency issues from the update.  Adding the feedback marker until that's completed.  Note to self also to add a bit to the advisory about Mageia 5 users should update to Mageia 6 as 0.10.x is unsupported.

Whiteboard: (none) => feedback

Comment 6 Nicolas Lécureuil 2017-08-11 01:27:24 CEST
new src.rpm nodejs-6.11.1-1.3.mga6 ( the install issue )

CC: (none) => mageia

Comment 7 David Walser 2017-08-11 02:08:57 CEST
Advisory:
========================

Updated nodejs packages fix security vulnerabilities:

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable
seed was constant across a given released version of Node.js. This was a result
of building with V8 snapshots enabled by default which caused the initially
randomized seed to be overwritten on startup (CVE-2017-11499).

Parsing of NAPTR responses by the bundled c-ares library could be triggered to
read memory outside of the given input buffer through carefully crafted DNS
response packets (CVE-2017-1000381).

Note that Mageia 5 is also affected, but the 0.10.x branch of nodejs is no
longer supported.  Users of nodejs should upgrade to Mageia 6.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
https://nodejs.org/en/blog/release/v6.11.1/
========================

Updated packages in core/updates_testing:
========================
libhttp-parser2-2.7.1-1.mga6
libhttp-parser-devel-2.7.1-1.mga6
nodejs-6.11.1-1.8.mga6
nodejs-devel-6.11.1-1.8.mga6
npm-3.10.10-1.8.mga6
nodejs-docs-6.11.1-1.8.mga6

from SRPMS:
http-parser-2.7.1-1.mga6.src.rpm
nodejs-6.11.1-1.8.mga6.src.rpm
David Walser 2017-08-11 02:09:03 CEST

Whiteboard: feedback => (none)

Comment 8 David Walser 2017-08-12 00:11:03 CEST
Package was rebuilt to change the release tag for some reason.

nodejs-6.11.1-2.1.mga6
nodejs-devel-6.11.1-2.1.mga6
npm-3.10.10-2.1.mga6
nodejs-docs-6.11.1-2.1.mga6

from nodejs-6.11.1-2.1.mga6.src.rpm
Comment 9 Manuel Hiebel 2017-08-16 20:55:59 CEST
still impossible to update 

# urpmi --debug nodejs
(...)
getting exclusive lock on rpm
search_packages: found nodejs-6.10.3-2.mga6.x86_64 matching nodejs
search_packages: found nodejs-6.11.1-2.1.mga6.x86_64 matching nodejs
found package(s): nodejs-6.10.3-2.mga6.x86_64 nodejs-6.11.1-2.1.mga6.x86_64
opening rpmdb (root=, write=)
chosen nodejs-6.11.1-2.1.mga6.x86_64 for nodejs|nodejs
selecting nodejs-6.11.1-2.1.mga6.x86_64
set_rejected: nodejs-6.10.3-2.mga6.x86_64
installed npm-3.10.10-2.mga6.x86_64 is conflicting because of unsatisfied nodejs[== 1:6.10.3-2.mga6]
promoting npm-3.10.10-2.1.mga6.x86_64 because of conflict above
selecting npm-3.10.10-2.1.mga6.x86_64
set_rejected: npm-3.10.10-2.mga6.x86_64
requiring nodejs[== 1:6.11.1-2.1] for npm-3.10.10-2.1.mga6.x86_64
no packages match nodejs[== 1:6.11.1-2.1] (it is either in skip.list or already rejected)
unselecting npm-3.10.10-2.1.mga6.x86_64
adding a reason to already rejected package npm-3.10.10-2.1.mga6.x86_64: unsatisfied nodejs[== 1:6.11.1-2.1]
installed npm-3.10.10-2.mga6.x86_64 is conflicting because of unsatisfied nodejs[== 1:6.10.3-2.mga6]
set_rejected: npm-3.10.10-2.mga6.x86_64
selected nodejs-6.11.1-2.1.mga6.x86_64 is conflicting because of unsatisfied npm[== 1:3.10.10]
promoting npm-3.10.10-2.mga6.i586 npm-3.10.10-2.1.mga6.i586 because of conflict above
no packages match npm|npm (it is either in skip.list or already rejected)
no packages match npm (it is either in skip.list or already rejected)
selected nodejs-6.11.1-2.1.mga6.x86_64 is conflicting because of unsatisfied npm[== 1:3.10.10]
unselecting nodejs-6.11.1-2.1.mga6.x86_64
Le paquetage demandé ne peut pas être installé :
npm-3.10.10-2.1.mga6.x86_64 (car nodejs[== 1:6.11.1-2.1] est non satisfait)

Whiteboard: (none) => feedback

Comment 10 Nicolas Lécureuil 2017-08-20 01:24:05 CEST
i just tried and it installs now.

Can you confirm ?

Whiteboard: feedback => (none)

Comment 11 David Walser 2017-08-20 01:26:04 CEST
Only the release tag changed again, but Nicolas is able to install them and upgrade to them from the core/release versions.

nodejs-6.11.1-3.mga6
nodejs-devel-6.11.1-3.mga6
npm-3.10.10-3.mga6
nodejs-docs-6.11.1-3.mga6

from nodejs-6.11.1-3.mga6.src.rpm
Comment 12 David Walser 2017-08-21 17:53:35 CEST
Nicolas is in the process of updating this again to 6.11.2, as well as providing an update for Mageia 5:
https://nodejs.org/en/blog/release/v6.11.2/

Whiteboard: (none) => feedback

Comment 13 David Walser 2017-08-22 18:51:21 CEST
This is still in progress.  It looks like the current build needs to be removed from mga6 core/updates_testing so it can be resubmitted, otherwise youri is rejecting the upload.

Current package list for Mageia 5 (since it won't be visible on pkgsubmit soon):
libuv1-1.9.0-1.mga5
libuv-devel-1.9.0-1.mga5
libuv-static-devel-1.9.0-1.mga5
libhttp-parser2-2.7.1-1.mga5
libhttp-parser-devel-2.7.1-1.mga5
nodejs-6.11.1-1.mga5
nodejs-devel-6.11.1-1.mga5
npm-3.10.10-1.mga5
nodejs-docs-6.11.1-1.mga5

from SRPMS:
libuv-1.9.0-1.mga5.src.rpm
http-parser-2.7.1-1.mga5.src.rpm
nodejs-6.11.1-1.mga5.src.rpm
Comment 14 Samuel Verschelde 2017-09-06 15:09:17 CEST
Moving 'feedback' from whiteboard to keywords now that madb has been updated to handle that keyword.

Whiteboard: feedback => (none)
Keywords: (none) => feedback

Comment 15 David Walser 2017-11-08 03:48:56 CET
Fedora has issued an advisory today (November 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YIOZ3PHJMBMHJGZPHUHUKZTSXF3GWNWG/

The issue (CVE-2017-14919) is fixed in 6.11.5:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/

What's not clear to me is if the issue was in zlib itself, or nodejs's zlib module.  As we don't use the bundled zlib (we build against the system one), we may not be affected.
Comment 16 David Walser 2017-12-06 23:05:38 CET
*** Bug 22094 has been marked as a duplicate of this bug. ***

CC: (none) => smelror

Comment 17 David Walser 2017-12-29 17:22:16 CET
Assigning back to Nicolas.  I guess we should update it to 6.11.5 and make sure there are no dependency problems before assigning back to QA.

CC: (none) => qa-bugs
Assignee: qa-bugs => mageia
Keywords: feedback => (none)

Comment 18 Marc Krämer 2018-01-17 18:43:37 CET
As far as I understand this issue (CVE-2017-14919), it is a change in the interface of zlib > 1.2.9. On the call of the lib with the value 8, it will not create an instance. This is not handled correctly, so node.js crashes.

CC: (none) => mageia

Comment 19 David Walser 2018-01-17 18:49:37 CET
Ok, so that particular issue isn't relevant for us.
Comment 20 Marc Krämer 2018-01-17 18:54:52 CET
It is still relevant, since they state this behaviour can be exploited.
Comment 21 David Walser 2018-01-17 18:56:49 CET
They must have made an adjustment in their zip module then.  That is fine.  We need to update this regardless.
David Walser 2018-02-02 18:15:27 CET

Status comment: (none) => dependency issue in update candidate, should be updated again

Comment 22 David Walser 2018-04-03 19:21:01 CEST
Upstream has issued an advisory on March 21:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/

CVE-2018-7158 CVE-2018-7159 CVE-2018-7160 are fixed in 6.14.0:
https://nodejs.org/en/blog/release/v6.14.0/

superceded by bugfix release 6.14.1 on March 30:
https://nodejs.org/en/blog/release/v6.14.1/

Fedora has issued an advisory for this today (April 3):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNDB7OOHGGSPMIELVOUE5AYAJ3PO5DAI/

Cauldron also needs to be updated to at least 8.11.0 (8.11.1 is also out).

Version: 6 => Cauldron
Whiteboard: (none) => MGA6TOO
Summary: nodejs new security issues fixed upstream in 6.11.1 => nodejs new security issues fixed upstream in 6.14.0

Comment 23 David Walser 2018-04-07 18:32:51 CEST
Fedora has issued an advisory for 6.14.0 on April 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VWNIJUQHBGKOST6ZUOIDBC7PMTYP2POX/
Comment 24 Stig-Ørjan Smelror 2018-06-13 20:06:50 CEST
Nodejs has issued updates on June 12 for several security issues.

CVE-2018-7161
CVE-2018-7162
CVE-2018-7164
CVE-2018-7167
CVE-2018-1000168

https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/

MGA6 is only vulnerable to CVE-2018-7167.
Cauldron to all of the above.
Stig-Ørjan Smelror 2018-06-13 20:13:02 CEST

Source RPM: nodejs-6.10.3-2.mga6.src.rpm => nodejs-6.10.3-2.mga6.src.rpm, nodejs-8.11.2-1.mga7.src.rpm
Summary: nodejs new security issues fixed upstream in 6.14.0 => nodejs new security issues fixed upstream in 6.14.3 and 8.11.3

Comment 25 Stig-Ørjan Smelror 2018-06-13 21:28:23 CEST
nodejs-8.11.3 has been pushed to Cauldron.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 26 David Walser 2018-06-13 23:39:59 CEST
Nice work Stig-Ørjan, thanks.

Hopefully one of these days we can build a security update for Mageia 6.

Summary: nodejs new security issues fixed upstream in 6.14.3 and 8.11.3 => nodejs new security issues fixed upstream in 6.14.3

Comment 27 David Walser 2018-07-16 20:52:32 CEST
openSUSE has issued an advisory for 6.14.3 on July 14:
https://lists.opensuse.org/opensuse-updates/2018-07/msg00034.html
Comment 28 David Walser 2018-08-29 21:02:07 CEST
Upstream has issued an advisory on August 16:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

The 6.x branch is up to 6.14.4, 8.x (Cauldron) is up to 8.11.4.

Summary: nodejs new security issues fixed upstream in 6.14.3 => nodejs new security issues fixed upstream in 6.14.4

Comment 29 David Walser 2019-01-19 17:32:59 CET
Upstream has issued an advisory on November 28:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

The 6.x branch is up to 6.15.1:
https://nodejs.org/en/blog/release/v6.15.1/

10.x is up to 10.15.0:
https://nodejs.org/en/blog/release/v10.15.0/

SUSE has issued an advisory for this on January 18:
http://lists.suse.com/pipermail/sle-security-updates/2019-January/005043.html

Version: 6 => Cauldron
Summary: nodejs new security issues fixed upstream in 6.14.4 => nodejs new security issues fixed upstream in 6.15.1
Whiteboard: (none) => MGA6TOO
CC: (none) => joequant

Comment 30 David Walser 2019-02-15 00:52:30 CET
nodejs6 advisory from SUSE from today (February 14):
http://lists.suse.com/pipermail/sle-security-updates/2019-February/005121.html

They updated to 6.16.0 which fixes a regression from the security fix:
https://nodejs.org/en/blog/release/v6.16.0/
Comment 31 David Walser 2019-02-15 00:55:09 CET
Cauldron is currently up to date with security fixes, but is missing the regression fix, which is also in 10.15.0.  The newest is 10.15.1:
https://nodejs.org/en/blog/release/v10.15.1/

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 32 David Walser 2019-03-18 23:29:47 CET
Upstream has issued an advisory on February 28:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

CVE-2019-5737 is fixed in 10.15.2, and that and CVE-2019-5739 are fixed in 6.17.0:
https://nodejs.org/en/blog/release/v6.17.0
https://nodejs.org/en/blog/release/v10.15.2

There is also the 10.15.3 bugfix release for that branch:
https://nodejs.org/en/blog/release/v10.15.3/

Whiteboard: (none) => MGA6TOO
Version: 6 => Cauldron

David Walser 2019-03-18 23:29:58 CET

Summary: nodejs new security issues fixed upstream in 6.15.1 => nodejs new security issues fixed upstream in 6.17.0

Comment 33 David Walser 2019-03-18 23:30:41 CET
SUSE advisory for nodejs10 from today (March 18):
http://lists.suse.com/pipermail/sle-security-updates/2019-March/005197.html
Comment 34 David Walser 2019-03-30 20:09:08 CET
SUSE advisory for 6.17.0 from March 29:
http://lists.suse.com/pipermail/sle-security-updates/2019-March/005269.html
Comment 35 David Walser 2019-04-21 20:22:46 CEST
10.15.3 is in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 36 Stig-Ørjan Smelror 2019-04-21 23:39:34 CEST
Looks like libuv needs to be updated to at least version 1.18.0 to get NodeJS to build on Mageia 6.

This commit was pushed a day before the 1.18 release.
https://github.com/libuv/libuv/commit/d708df110a03332224bd9be1bbd23093d9cf9022#diff-75ef5546bd1280c12d97fdd89c13da08

And NodeJS 6.17.1 borks on uv_os_getpid.

Green light?

Cheers,
Stig
Comment 37 David Walser 2019-04-21 23:43:54 CEST
Whatever needs to be done.
Comment 38 Stig-Ørjan Smelror 2019-04-21 23:45:32 CEST
David,

do I update libuv to the latest version or just to the version needed?

Cheers,
Stig
Comment 39 David Walser 2019-04-21 23:47:45 CEST
I guess it depends on which nodejs you're updating to.  As I recall, it can use a bundled one, so you'd want to match it to the version used by the nodejs version you're going to use.
Comment 40 Stig-Ørjan Smelror 2019-04-22 00:41:54 CEST
Advisory
========

NodeJS has been updated to fix several critical security issues.

References
==========
https://github.com/nodejs/node/search?q=CVE&type=Commits

Files
=====

Uploaded to core/updates_testing:

lib64uv1-1.16.1-1.mga6
lib64uv-devel-1.16.1-1.mga6
lib64uv-static-devel-1.16.1-1.mga6

from lib64uv1-1.16.1-1.mga6.src.rpm

nodejs-6.17.1-1.mga6
nodejs-devel-6.17.1-1.mga6
npm-3.10.10-1.6.17.1.1.mga6.2.mga6
nodejs-docs-6.17.1-1.mga6

from nodejs-6.17.1-1.mga6.src.rpm

Source RPM: nodejs-6.10.3-2.mga6.src.rpm, nodejs-8.11.2-1.mga7.src.rpm => nodejs-6.10.3-2.mga6.src.rpm,
Assignee: mageia => qa-bugs
Summary: nodejs new security issues fixed upstream in 6.17.0 => nodejs new security issues fixed upstream in 6.17.1

Comment 41 David Walser 2019-04-22 01:46:25 CEST
Reference for 6.17.1 bugfix release:
https://nodejs.org/en/blog/release/v6.17.1/
Comment 42 David Walser 2019-04-22 02:00:24 CEST
nodejs build rejected by the build system because the npm release tag is messed up.

Assignee: qa-bugs => smelror

Comment 43 Stig-Ørjan Smelror 2019-04-22 16:28:29 CEST
Advisory
========

NodeJS has been updated to fix several critical security issues.

References
==========
https://nodejs.org/en/blog/release/v6.17.1/

Files
=====

Uploaded to core/updates_testing:

lib64uv1-1.16.1-1.mga6
lib64uv-devel-1.16.1-1.mga6
lib64uv-static-devel-1.16.1-1.mga6

from lib64uv1-1.16.1-1.mga6.src.rpm

lib64http-parser2-2.9.2-1.mga6.x86_64.rpm
lib64http-parser-devel-2.9.2-1.mga6.x86_64.rpm

from http-parser-2.9.2-1.mga6.src.rpm

nodejs-6.17.1-4.mga6
nodejs-devel-6.17.1-4.mga6
npm-3.10.10-4.mga6
nodejs-docs-6.17.1-4.mga6
nodejs-debuginfo-6.17.1-4.mga6

from nodejs-6.17.1-4.mga6.src.rpm
Comment 44 Stig-Ørjan Smelror 2019-04-22 17:49:22 CEST
joequant fixed the issues in nodejs for Cauldron.

Status comment: dependency issue in update candidate, should be updated again => (none)
Assignee: smelror => qa-bugs
Source RPM: nodejs-6.10.3-2.mga6.src.rpm, => nodejs-6.10.3-2.mga6.src.rpm

Comment 45 Herman Viaene 2019-05-05 14:01:58 CEST
Trying this on x86-64: getting "This package cannot be selected" for nodejs-6.17.1-4.mga6, and npm-3.10.10-4.mga6 is dependent on that one.

CC: (none) => herman.viaene

Comment 46 Stig-Ørjan Smelror 2019-05-05 14:36:07 CEST
Herman,

npm depends on nodejs and vice versa. Both will be installed.

libuv was needed to build nodejs. I don't know if it's needed to run.
Comment 47 Stig-Ørjan Smelror 2019-05-05 14:37:50 CEST
Advisory
========

NodeJS has been updated to fix several critical security issues.

References
==========
https://nodejs.org/en/blog/release/v6.17.1/

Files
=====

Uploaded to core/updates_testing:

lib64uv1-1.16.1-1.mga6
lib64uv-devel-1.16.1-1.mga6
lib64uv-static-devel-1.16.1-1.mga6

from libuv-1.16.1-1.mga6.src.rpm

lib64http-parser2-2.9.2-1.mga6
lib64http-parser-devel-2.9.2-1.mga6

from http-parser-2.9.2-1.mga6.src.rpm

nodejs-6.17.1-4.mga6
nodejs-devel-6.17.1-4.mga6
npm-3.10.10-4.mga6
nodejs-docs-6.17.1-4.mga6
nodejs-debuginfo-6.17.1-4.mga6

from nodejs-6.17.1-4.mga6.src.rpm
Comment 48 Herman Viaene 2019-05-06 13:58:26 CEST
@Stig,
Tried to install again on my old trusted 32-bitter, but no joy:
The moment I select im MCC - Software installation the package nodejs I get the message "This package cannot be selected" and that's it.
Comment 49 Herman Viaene 2019-05-07 10:01:29 CEST
@Stig
# urpmi nodejs-6.17.1-4.mga6
Een verlangd pakket kan niet worden geïnstalleerd (a selected package cannot be installed):
npm-3.10.10-4.mga6.i586 (vanwege onvoldane nodejs (unfulfilled)[== 1:6.17.1-4])
Comment 50 Stig-Ørjan Smelror 2019-05-10 10:37:53 CEST
Advisory
========

NodeJS has been updated to fix several critical security issues.

References
==========
https://nodejs.org/en/blog/release/v6.17.1/

Files
=====

Uploaded to core/updates_testing:

lib64uv1-1.16.1-1.mga6
lib64uv-devel-1.16.1-1.mga6
lib64uv-static-devel-1.16.1-1.mga6

from libuv-1.16.1-1.mga6.src.rpm

lib64http-parser2-2.9.2-1.mga6
lib64http-parser-devel-2.9.2-1.mga6

from http-parser-2.9.2-1.mga6.src.rpm

nodejs-6.17.1-6.mga6
nodejs-devel-6.17.1-6.mga6
npm-3.10.10-6.mga6
nodejs-docs-6.17.1-6.mga6
nodejs-debuginfo-6.17.1-6.mga6

from nodejs-6.17.1-6.mga6.src.rpm
Comment 51 Len Lawrence 2019-06-08 18:56:27 CEST
mga6, x86_64

Cannot say anything about the security issues but installed missing packages before updating and worked through some simple examples at
https://www.tutorialspoint.com/nodejs/

Set up a nodejs server using this code in main.js:
-------------------------------------------------------------
var http = require("http");

http.createServer(function (request, response) {
   // Send the HTTP header 
   // HTTP Status: 200 : OK
   // Content Type: text/plain
   response.writeHead(200, {'Content-Type': 'text/plain'});
   
   // Send the response body as "Hello World"
   response.end('Hello World\n');
}).listen(8081);

// Console will print the message
console.log('Server running at http://127.0.0.1:8081/');

// $ node main.js
// Check http://localhost:8081/
-------------------------------------------------------------

and then used the interactive javascript environment REPL in a console:
$ node

When the server starts you see "Hello World" in a browser at http://localhost:8081/

Stopped the server with Ctrl-C in the launch terminal.  The alternative is 'killall node' in any terminal.

Using MageiaUpdate there was a problem - a message about having to remove nodejs in
order to update.

Abandoned MageiaUpdate and tried to force the issue using manual urpmi commands.
# urpmi nodejs
A requested package cannot be installed:
nodejs-devel-6.17.1-6.mga6.x86_64 (due to unsatisfied openssl-devel(x86-64))
Tried to continue but ended up in the same place.
Could you look into that Stig?  Looks as if Herman ran into a similar problem.

Keywords: (none) => feedback
CC: (none) => tarazed25

Comment 52 Len Lawrence 2019-06-08 19:00:02 CEST
@Stig re comment 51
# urpmi openssl-devel
Package lib64openssl-devel-1.0.2r-1.mga6.x86_64 is already installed
Comment 53 Stig-Ørjan Smelror 2019-06-08 19:05:29 CEST
(In reply to Len Lawrence from comment #52)
> @Stig re comment 51
> # urpmi openssl-devel
> Package lib64openssl-devel-1.0.2r-1.mga6.x86_64 is already installed

What's the output of

urpmq --provides lib64openssl-devel-1.0.2r-1.mga6.x86_64

Thanks.
Stig
Comment 54 Len Lawrence 2019-06-08 23:52:57 CEST
$ urpmq --provides lib64openssl-devel-1.0.2r-1.mga6.x86_64
devel(libcrypto(64bit))
devel(libssl(64bit))
lib64openssl-devel[== 1.0.2r-1.mga6]
lib64openssl-devel(x86-64)[== 1.0.2r-1.mga6]
libopenssl-devel
openssl-devel[== 1.0.2r-1.mga6]
pkgconfig(libcrypto)[== 1.0.2r]
pkgconfig(libssl)[== 1.0.2r]
pkgconfig(openssl)[== 1.0.2r]
Comment 55 Marc Krämer 2019-06-09 13:59:23 CEST
I hope Stig does not mind, I fixed the dependencies in devel package and pushed another version (release -7) to core/updates_testing.
There is only a change for the requirements on the devel package, nothing else was touched.
Comment 56 Len Lawrence 2019-06-09 18:23:49 CEST
Thanks Marc.
MageiaUpdate still does not work.

Sorry, the following packages cannot be selected:

- nodejs-docs-6.17.1-7.mga6.noarch (due to conflicts with nodejs-6.17.1-7.mga6.x86_64)
- nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(argparse)[>= 1.0.7])

Started again from the cli:
....
installing nodejs-6.17.1-7.mga6.x86_64.rpm npm-3.10.10-7.mga6.x86_64.rpm nodejs-devel-6.17.1-7.mga6.x86_64.rpm from /var/cache/urpmi/rpms
Installation failed:	nodejs > 1:6.10.3-2.mga6 conflicts with (installed) nodejs-docs-1:6.10.3-2.mga6.noarch

Tried
# urpmi npm
and that succeeded in installing 3 packages:
      1/3: npm         
      2/3: nodejs      
      3/3: nodejs-devel

Still not able to install the docs noarch package but everything else is there, so the
utility tests can be run, I think.
$ rpm -qa | grep nodejs
nodejs-js-yaml-3.5.2-3.mga6
nodejs-sprintf-js-1.0.3-5.mga6
nodejs-6.17.1-7.mga6
nodejs-argparse-1.0.3-3.mga6
nodejs-packaging-9-1.mga6
nodejs-underscore-1.8.3-1.mga6
nodejs-lodash-3.10.1-7.mga6
nodejs-devel-6.17.1-7.mga6
nodejs-esprima-2.7.2-1.mga6

Started the server.
$ node main.js
Server running at http://127.0.0.1:8081/

http://localhost:8081/ in a browser responds with "Hello World".

Interactive cli session works OK.  Closed it with .exit.
Restarted with a V8 option and saw the startup code roll by (see notes attached):
$ node --print-code
> var x = 22
> x * x
484
> .exit
$ npm ls -g
shows a tree directory for /usr/lib/node_modules.
$ npm ls
/data/qa/nodejs
└── (empty)
which shows that there are no local modules installed.
$ npm search express
finds all packages with the string "express" as part of their names or included in
onboard documentation.
$ npm install express
installs module express and several other modules.
$ npm ls
/data/qa/nodejs
└─┬ express@4.17.1
  ├─┬ accepts@1.3.7
  │ ├─┬ mime-types@2.1.24
  │ │ └── mime-db@1.40.0
  │ └── negotiator@0.6.2
  ├── array-flatten@1.1.1
[...]
  ├─┬ type-is@1.6.18
  │ └── media-typer@0.3.0
  ├── utils-merge@1.0.1
  └── vary@1.1.2

The directory node_modules is created in the current directory /data/qa/nodejs.
$ ls
helloworld.js  node_modules/  problems      v8-options
main.js        notes          report.21330
$ ls node_modules
accepts/              escape-html/        mime/            safer-buffer/
array-flatten/        etag/               mime-db/         send/
body-parser/          express/            mime-types/      serve-static/
bytes/                finalhandler/       ms/              setprototypeof/
content-disposition/  forwarded/          negotiator/      statuses/
content-type/         fresh/              on-finished/     toidentifier/
cookie/               http-errors/        parseurl/        type-is/
cookie-signature/     iconv-lite/         path-to-regexp/  unpipe/
debug/                inherits/           proxy-addr/      utils-merge/
depd/                 ipaddr.js/          qs/              vary/
destroy/              media-typer/        range-parser/
ee-first/             merge-descriptors/  raw-body/
encodeurl/            methods/            safe-buffer/

TutorialsPoint goes on to more advanced topics like creating modules, callbacks and
event-driven programming.  This taster shall have to suffice just now.  The updates
should be OK for 64bit once the docs business is sorted out.
Comment 57 Len Lawrence 2019-06-09 18:26:46 CEST
Created attachment 11076 [details]
Exploratory notes on V8 and the nodejs disposition.
Comment 58 Marc Krämer 2019-06-09 22:06:58 CEST
ok, thanks for your tests, we'll get docs package too.
Sorry, I've to wait for the build server myself, since the package didn't compile on my host (and takes hours).
Len Lawrence 2019-06-10 06:56:43 CEST

Keywords: feedback => (none)

Comment 59 Len Lawrence 2019-06-10 07:48:30 CEST
While checking some of the links I came across a POC for "hash flooding".
CVE-2017-11499
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
Note that the updates had already been installed.

$ node 
> const opts = require('url').parse('http://127.0.0.1:8081');
undefined
> opts.auth = 1e3; // A number here triggers the bug
1000
> require('http').get(opts, res => res.pipe(process.stdout));
TypeError: "value" argument must not be a number
    at Function.Buffer.from (buffer.js:93:11)
    at new ClientRequest (_http_client.js:121:27)
    at Object.exports.request (http.js:33:10)
    at Object.exports.get (http.js:37:21)
    at repl:1:17
    at sigintHandlersWrap (vm.js:22:35)
    at sigintHandlersWrap (vm.js:73:12)
    at ContextifyScript.Script.runInThisContext (vm.js:21:12)
    at REPLServer.defaultEval (repl.js:340:29)
    at bound (domain.js:280:14)
> .exit

Looks like the vulnerability has been trapped - but the occurrence of the bug may depend on whether this statement
is true:
"This was a result of building with V8 snapshots enabled by default which caused the
initially randomized seed to be overwritten on startup."
Noted in comment 7.
?

Moved to another machine and installed the earlier version of nodejs.  Tried the POC
there and saw the same result, so maybe it does not tell us anything.
Comment 60 Herman Viaene 2019-06-26 12:16:30 CEST
Used QArepo to retrieve the packages as per Comment 50 for i586 and got error:
lib64uv1-1.16.1-1.mga6 not found in the remote repository
lib64http-parser2-2.9.2-1.mga6 not found in the remote repository
nodejs-6.17.1-6.mga6 not found in the remote repository
npm-3.10.10-6.mga6 not found in the remote repository
nodejs-docs-6.17.1-6.mga6 not found in the remote repository
Comment 61 Herman Viaene 2019-06-26 12:18:05 CEST
Changing the lib64.... to lib still gives:
nodejs-6.17.1-6.mga6 not found in the remote repository
npm-3.10.10-6.mga6 not found in the remote repository
nodejs-docs-6.17.1-6.mga6 not found in the remote repository
Comment 62 Len Lawrence 2019-06-27 17:55:05 CEST
@Herman with reference to comments 60, 61:
Which repository are you trying to download from - is it release or updates-testing?  ...1-1 should be in release I believe (not sure about that) and the updates-testing repositories should have ...1-7.  ...1-6 should have been overwritten.
Comment 63 Herman Viaene 2019-06-27 18:03:07 CEST
It is definitely updates-testing, but I overlooked comment 55, it's not very conspicuous.
Comment 64 Herman Viaene 2019-06-29 13:51:54 CEST
nodejs-6.17.1-7.mga6 not found in the remote repository
npm-3.10.10-7.mga6 not found in the remote repository
nodejs-docs-6.17.1-7.mga6 not found in the remote repository
Comment 65 Brian Rockwell 2019-07-28 01:02:48 CEST
Noted we're up to 6.17.1-8

The following 25 packages are going to be installed:

- cmake-rpm-macros-3.10.2-1.mga6.i586
- dwz-0.12-2.mga6.i586
- libhttp-parser-devel-2.9.2-1.mga6.i586
- libuv-devel-1.16.1-1.mga6.i586
- nodejs-6.17.1-8.mga6.i586
- nodejs-devel-6.17.1-8.mga6.i586
- nodejs-docs-6.17.1-8.mga6.noarch
- nodejs-packaging-9-1.mga6.noarch
- npm-3.10.10-8.mga6.i586
- pcre-8.41-1.mga6.i586
- perl-Exporter-Tiny-0.42.0-3.mga6.noarch
- perl-File-Slurp-9999.190.0-8.mga6.noarch
- perl-JSON-2.900.0-5.mga6.noarch
- perl-List-MoreUtils-0.415.0-1.mga6.i586
- perl-YAML-1.150.0-3.mga6.noarch
- python-enchant-1.6.6-3.mga6.noarch
- python-magic-5.25-5.2.mga6.noarch
- python-pkg-resources-19.6.2-1.mga6.noarch
- python-srpm-macros-3-4.mga6.noarch
- python2-rpm-4.13.1-3.2.mga6.i586
- rpm-mageia-setup-build-2.20.1-1.mga6.i586
- rpmlint-1.5-4.mga6.noarch
- rpmlint-mageia-policy-0.2.29-2.1.mga6.noarch
- rust-srpm-macros-6-1.mga6.noarch
- spec-helper-0.31.11-1.mga6.noarch

36MB of additional disk space will be used.

Is this the correct version to test now?

Will ne

CC: (none) => brtians1


Note You need to log in before you can comment on or make changes to this bug.