Fedora has issued an advisory today (July 23): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2AXESDBS3WP5K4PFYD3EMDD3R662MMG6/ This follows from the upstream advisory on July 11: https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ For 6.x, the issues were fixed in 6.11.1: https://nodejs.org/en/blog/release/v6.11.1/ Mageia 5 and Mageia 6 are also affected. 0.10.x is no longer supported, so we should recommend users upgrade to Mageia 6.
Whiteboard: (none) => MGA6TOO
6.11.1 pushed in updates_testing and pushed in cauldron too
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Assignee: mageia => qa-bugs
Assigning back to Nicolas. Neither update built successfully.
Version: 6 => CauldronWhiteboard: (none) => MGA6TOOCC: (none) => qa-bugsAssignee: qa-bugs => mageia
let's validate this the cauldron package will be pushed when rpm will be fixed, it is on my todo, i won't forget. src.rpm http-parser-2.7.1-1.mga6 and nodejs-6.11.1-1.1.mga6
Advisory: ======================== Updated nodejs packages fix security vulnerabilities: Node.js was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup (CVE-2017-11499). Parsing of NAPTR responses by the bundled c-ares library could be triggered to read memory outside of the given input buffer through carefully crafted DNS response packets (CVE-2017-1000381). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11499 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381 https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ https://nodejs.org/en/blog/release/v6.11.1/ ======================== Updated packages in core/updates_testing: ======================== libhttp-parser2-2.7.1-1.mga6 libhttp-parser-devel-2.7.1-1.mga6 nodejs-6.11.1-1.1.mga6 nodejs-devel-6.11.1-1.1.mga6 npm-3.10.10-1.6.11.1.1.mga6 nodejs-docs-6.11.1-1.1.mga6 from SRPMS: http-parser-2.7.1-1.mga6.src.rpm nodejs-6.11.1-1.1.mga6.src.rpm
CC: qa-bugs => (none)
Nicolas is working on fixing dependency issues from the update. Adding the feedback marker until that's completed. Note to self also to add a bit to the advisory about Mageia 5 users should update to Mageia 6 as 0.10.x is unsupported.
Whiteboard: (none) => feedback
new src.rpm nodejs-6.11.1-1.3.mga6 ( the install issue )
CC: (none) => mageia
Advisory: ======================== Updated nodejs packages fix security vulnerabilities: Node.js was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup (CVE-2017-11499). Parsing of NAPTR responses by the bundled c-ares library could be triggered to read memory outside of the given input buffer through carefully crafted DNS response packets (CVE-2017-1000381). Note that Mageia 5 is also affected, but the 0.10.x branch of nodejs is no longer supported. Users of nodejs should upgrade to Mageia 6. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11499 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381 https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ https://nodejs.org/en/blog/release/v6.11.1/ ======================== Updated packages in core/updates_testing: ======================== libhttp-parser2-2.7.1-1.mga6 libhttp-parser-devel-2.7.1-1.mga6 nodejs-6.11.1-1.8.mga6 nodejs-devel-6.11.1-1.8.mga6 npm-3.10.10-1.8.mga6 nodejs-docs-6.11.1-1.8.mga6 from SRPMS: http-parser-2.7.1-1.mga6.src.rpm nodejs-6.11.1-1.8.mga6.src.rpm
Whiteboard: feedback => (none)
Package was rebuilt to change the release tag for some reason. nodejs-6.11.1-2.1.mga6 nodejs-devel-6.11.1-2.1.mga6 npm-3.10.10-2.1.mga6 nodejs-docs-6.11.1-2.1.mga6 from nodejs-6.11.1-2.1.mga6.src.rpm
still impossible to update # urpmi --debug nodejs (...) getting exclusive lock on rpm search_packages: found nodejs-6.10.3-2.mga6.x86_64 matching nodejs search_packages: found nodejs-6.11.1-2.1.mga6.x86_64 matching nodejs found package(s): nodejs-6.10.3-2.mga6.x86_64 nodejs-6.11.1-2.1.mga6.x86_64 opening rpmdb (root=, write=) chosen nodejs-6.11.1-2.1.mga6.x86_64 for nodejs|nodejs selecting nodejs-6.11.1-2.1.mga6.x86_64 set_rejected: nodejs-6.10.3-2.mga6.x86_64 installed npm-3.10.10-2.mga6.x86_64 is conflicting because of unsatisfied nodejs[== 1:6.10.3-2.mga6] promoting npm-3.10.10-2.1.mga6.x86_64 because of conflict above selecting npm-3.10.10-2.1.mga6.x86_64 set_rejected: npm-3.10.10-2.mga6.x86_64 requiring nodejs[== 1:6.11.1-2.1] for npm-3.10.10-2.1.mga6.x86_64 no packages match nodejs[== 1:6.11.1-2.1] (it is either in skip.list or already rejected) unselecting npm-3.10.10-2.1.mga6.x86_64 adding a reason to already rejected package npm-3.10.10-2.1.mga6.x86_64: unsatisfied nodejs[== 1:6.11.1-2.1] installed npm-3.10.10-2.mga6.x86_64 is conflicting because of unsatisfied nodejs[== 1:6.10.3-2.mga6] set_rejected: npm-3.10.10-2.mga6.x86_64 selected nodejs-6.11.1-2.1.mga6.x86_64 is conflicting because of unsatisfied npm[== 1:3.10.10] promoting npm-3.10.10-2.mga6.i586 npm-3.10.10-2.1.mga6.i586 because of conflict above no packages match npm|npm (it is either in skip.list or already rejected) no packages match npm (it is either in skip.list or already rejected) selected nodejs-6.11.1-2.1.mga6.x86_64 is conflicting because of unsatisfied npm[== 1:3.10.10] unselecting nodejs-6.11.1-2.1.mga6.x86_64 Le paquetage demandé ne peut pas être installé : npm-3.10.10-2.1.mga6.x86_64 (car nodejs[== 1:6.11.1-2.1] est non satisfait)
i just tried and it installs now. Can you confirm ?
Only the release tag changed again, but Nicolas is able to install them and upgrade to them from the core/release versions. nodejs-6.11.1-3.mga6 nodejs-devel-6.11.1-3.mga6 npm-3.10.10-3.mga6 nodejs-docs-6.11.1-3.mga6 from nodejs-6.11.1-3.mga6.src.rpm
Nicolas is in the process of updating this again to 6.11.2, as well as providing an update for Mageia 5: https://nodejs.org/en/blog/release/v6.11.2/
This is still in progress. It looks like the current build needs to be removed from mga6 core/updates_testing so it can be resubmitted, otherwise youri is rejecting the upload. Current package list for Mageia 5 (since it won't be visible on pkgsubmit soon): libuv1-1.9.0-1.mga5 libuv-devel-1.9.0-1.mga5 libuv-static-devel-1.9.0-1.mga5 libhttp-parser2-2.7.1-1.mga5 libhttp-parser-devel-2.7.1-1.mga5 nodejs-6.11.1-1.mga5 nodejs-devel-6.11.1-1.mga5 npm-3.10.10-1.mga5 nodejs-docs-6.11.1-1.mga5 from SRPMS: libuv-1.9.0-1.mga5.src.rpm http-parser-2.7.1-1.mga5.src.rpm nodejs-6.11.1-1.mga5.src.rpm
Moving 'feedback' from whiteboard to keywords now that madb has been updated to handle that keyword.
Keywords: (none) => feedbackWhiteboard: feedback => (none)
Fedora has issued an advisory today (November 7): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YIOZ3PHJMBMHJGZPHUHUKZTSXF3GWNWG/ The issue (CVE-2017-14919) is fixed in 6.11.5: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ What's not clear to me is if the issue was in zlib itself, or nodejs's zlib module. As we don't use the bundled zlib (we build against the system one), we may not be affected.
*** Bug 22094 has been marked as a duplicate of this bug. ***
CC: (none) => smelror
Assigning back to Nicolas. I guess we should update it to 6.11.5 and make sure there are no dependency problems before assigning back to QA.
CC: (none) => qa-bugsAssignee: qa-bugs => mageiaKeywords: feedback => (none)
As far as I understand this issue (CVE-2017-14919), it is a change in the interface of zlib > 1.2.9. On the call of the lib with the value 8, it will not create an instance. This is not handled correctly, so node.js crashes.
Ok, so that particular issue isn't relevant for us.
It is still relevant, since they state this behaviour can be exploited.
They must have made an adjustment in their zip module then. That is fine. We need to update this regardless.
Status comment: (none) => dependency issue in update candidate, should be updated again
Upstream has issued an advisory on March 21: https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ CVE-2018-7158 CVE-2018-7159 CVE-2018-7160 are fixed in 6.14.0: https://nodejs.org/en/blog/release/v6.14.0/ superceded by bugfix release 6.14.1 on March 30: https://nodejs.org/en/blog/release/v6.14.1/ Fedora has issued an advisory for this today (April 3): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YNDB7OOHGGSPMIELVOUE5AYAJ3PO5DAI/ Cauldron also needs to be updated to at least 8.11.0 (8.11.1 is also out).
Version: 6 => CauldronWhiteboard: (none) => MGA6TOOSummary: nodejs new security issues fixed upstream in 6.11.1 => nodejs new security issues fixed upstream in 6.14.0
Fedora has issued an advisory for 6.14.0 on April 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VWNIJUQHBGKOST6ZUOIDBC7PMTYP2POX/
Nodejs has issued updates on June 12 for several security issues. CVE-2018-7161 CVE-2018-7162 CVE-2018-7164 CVE-2018-7167 CVE-2018-1000168 https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/ MGA6 is only vulnerable to CVE-2018-7167. Cauldron to all of the above.
Source RPM: nodejs-6.10.3-2.mga6.src.rpm => nodejs-6.10.3-2.mga6.src.rpm, nodejs-8.11.2-1.mga7.src.rpmSummary: nodejs new security issues fixed upstream in 6.14.0 => nodejs new security issues fixed upstream in 6.14.3 and 8.11.3
nodejs-8.11.3 has been pushed to Cauldron.
Nice work Stig-Ørjan, thanks. Hopefully one of these days we can build a security update for Mageia 6.
Summary: nodejs new security issues fixed upstream in 6.14.3 and 8.11.3 => nodejs new security issues fixed upstream in 6.14.3
openSUSE has issued an advisory for 6.14.3 on July 14: https://lists.opensuse.org/opensuse-updates/2018-07/msg00034.html
Upstream has issued an advisory on August 16: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ The 6.x branch is up to 6.14.4, 8.x (Cauldron) is up to 8.11.4.
Summary: nodejs new security issues fixed upstream in 6.14.3 => nodejs new security issues fixed upstream in 6.14.4
Upstream has issued an advisory on November 28: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ The 6.x branch is up to 6.15.1: https://nodejs.org/en/blog/release/v6.15.1/ 10.x is up to 10.15.0: https://nodejs.org/en/blog/release/v10.15.0/ SUSE has issued an advisory for this on January 18: http://lists.suse.com/pipermail/sle-security-updates/2019-January/005043.html
Summary: nodejs new security issues fixed upstream in 6.14.4 => nodejs new security issues fixed upstream in 6.15.1Whiteboard: (none) => MGA6TOOVersion: 6 => CauldronCC: (none) => joequant
nodejs6 advisory from SUSE from today (February 14): http://lists.suse.com/pipermail/sle-security-updates/2019-February/005121.html They updated to 6.16.0 which fixes a regression from the security fix: https://nodejs.org/en/blog/release/v6.16.0/
Cauldron is currently up to date with security fixes, but is missing the regression fix, which is also in 10.15.0. The newest is 10.15.1: https://nodejs.org/en/blog/release/v10.15.1/
Upstream has issued an advisory on February 28: https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ CVE-2019-5737 is fixed in 10.15.2, and that and CVE-2019-5739 are fixed in 6.17.0: https://nodejs.org/en/blog/release/v6.17.0 https://nodejs.org/en/blog/release/v10.15.2 There is also the 10.15.3 bugfix release for that branch: https://nodejs.org/en/blog/release/v10.15.3/
Version: 6 => CauldronWhiteboard: (none) => MGA6TOO
Summary: nodejs new security issues fixed upstream in 6.15.1 => nodejs new security issues fixed upstream in 6.17.0
SUSE advisory for nodejs10 from today (March 18): http://lists.suse.com/pipermail/sle-security-updates/2019-March/005197.html
SUSE advisory for 6.17.0 from March 29: http://lists.suse.com/pipermail/sle-security-updates/2019-March/005269.html
10.15.3 is in Cauldron.
Looks like libuv needs to be updated to at least version 1.18.0 to get NodeJS to build on Mageia 6. This commit was pushed a day before the 1.18 release. https://github.com/libuv/libuv/commit/d708df110a03332224bd9be1bbd23093d9cf9022#diff-75ef5546bd1280c12d97fdd89c13da08 And NodeJS 6.17.1 borks on uv_os_getpid. Green light? Cheers, Stig
Whatever needs to be done.
David, do I update libuv to the latest version or just to the version needed? Cheers, Stig
I guess it depends on which nodejs you're updating to. As I recall, it can use a bundled one, so you'd want to match it to the version used by the nodejs version you're going to use.
Advisory ======== NodeJS has been updated to fix several critical security issues. References ========== https://github.com/nodejs/node/search?q=CVE&type=Commits Files ===== Uploaded to core/updates_testing: lib64uv1-1.16.1-1.mga6 lib64uv-devel-1.16.1-1.mga6 lib64uv-static-devel-1.16.1-1.mga6 from lib64uv1-1.16.1-1.mga6.src.rpm nodejs-6.17.1-1.mga6 nodejs-devel-6.17.1-1.mga6 npm-3.10.10-1.6.17.1.1.mga6.2.mga6 nodejs-docs-6.17.1-1.mga6 from nodejs-6.17.1-1.mga6.src.rpm
Source RPM: nodejs-6.10.3-2.mga6.src.rpm, nodejs-8.11.2-1.mga7.src.rpm => nodejs-6.10.3-2.mga6.src.rpm,Assignee: mageia => qa-bugsSummary: nodejs new security issues fixed upstream in 6.17.0 => nodejs new security issues fixed upstream in 6.17.1
Reference for 6.17.1 bugfix release: https://nodejs.org/en/blog/release/v6.17.1/
nodejs build rejected by the build system because the npm release tag is messed up.
Assignee: qa-bugs => smelror
Advisory ======== NodeJS has been updated to fix several critical security issues. References ========== https://nodejs.org/en/blog/release/v6.17.1/ Files ===== Uploaded to core/updates_testing: lib64uv1-1.16.1-1.mga6 lib64uv-devel-1.16.1-1.mga6 lib64uv-static-devel-1.16.1-1.mga6 from lib64uv1-1.16.1-1.mga6.src.rpm lib64http-parser2-2.9.2-1.mga6.x86_64.rpm lib64http-parser-devel-2.9.2-1.mga6.x86_64.rpm from http-parser-2.9.2-1.mga6.src.rpm nodejs-6.17.1-4.mga6 nodejs-devel-6.17.1-4.mga6 npm-3.10.10-4.mga6 nodejs-docs-6.17.1-4.mga6 nodejs-debuginfo-6.17.1-4.mga6 from nodejs-6.17.1-4.mga6.src.rpm
joequant fixed the issues in nodejs for Cauldron.
Assignee: smelror => qa-bugsSource RPM: nodejs-6.10.3-2.mga6.src.rpm, => nodejs-6.10.3-2.mga6.src.rpmStatus comment: dependency issue in update candidate, should be updated again => (none)
Trying this on x86-64: getting "This package cannot be selected" for nodejs-6.17.1-4.mga6, and npm-3.10.10-4.mga6 is dependent on that one.
CC: (none) => herman.viaene
Herman, npm depends on nodejs and vice versa. Both will be installed. libuv was needed to build nodejs. I don't know if it's needed to run.
Advisory ======== NodeJS has been updated to fix several critical security issues. References ========== https://nodejs.org/en/blog/release/v6.17.1/ Files ===== Uploaded to core/updates_testing: lib64uv1-1.16.1-1.mga6 lib64uv-devel-1.16.1-1.mga6 lib64uv-static-devel-1.16.1-1.mga6 from libuv-1.16.1-1.mga6.src.rpm lib64http-parser2-2.9.2-1.mga6 lib64http-parser-devel-2.9.2-1.mga6 from http-parser-2.9.2-1.mga6.src.rpm nodejs-6.17.1-4.mga6 nodejs-devel-6.17.1-4.mga6 npm-3.10.10-4.mga6 nodejs-docs-6.17.1-4.mga6 nodejs-debuginfo-6.17.1-4.mga6 from nodejs-6.17.1-4.mga6.src.rpm
@Stig, Tried to install again on my old trusted 32-bitter, but no joy: The moment I select im MCC - Software installation the package nodejs I get the message "This package cannot be selected" and that's it.
@Stig # urpmi nodejs-6.17.1-4.mga6 Een verlangd pakket kan niet worden geïnstalleerd (a selected package cannot be installed): npm-3.10.10-4.mga6.i586 (vanwege onvoldane nodejs (unfulfilled)[== 1:6.17.1-4])
Advisory ======== NodeJS has been updated to fix several critical security issues. References ========== https://nodejs.org/en/blog/release/v6.17.1/ Files ===== Uploaded to core/updates_testing: lib64uv1-1.16.1-1.mga6 lib64uv-devel-1.16.1-1.mga6 lib64uv-static-devel-1.16.1-1.mga6 from libuv-1.16.1-1.mga6.src.rpm lib64http-parser2-2.9.2-1.mga6 lib64http-parser-devel-2.9.2-1.mga6 from http-parser-2.9.2-1.mga6.src.rpm nodejs-6.17.1-6.mga6 nodejs-devel-6.17.1-6.mga6 npm-3.10.10-6.mga6 nodejs-docs-6.17.1-6.mga6 nodejs-debuginfo-6.17.1-6.mga6 from nodejs-6.17.1-6.mga6.src.rpm
mga6, x86_64 Cannot say anything about the security issues but installed missing packages before updating and worked through some simple examples at https://www.tutorialspoint.com/nodejs/ Set up a nodejs server using this code in main.js: ------------------------------------------------------------- var http = require("http"); http.createServer(function (request, response) { // Send the HTTP header // HTTP Status: 200 : OK // Content Type: text/plain response.writeHead(200, {'Content-Type': 'text/plain'}); // Send the response body as "Hello World" response.end('Hello World\n'); }).listen(8081); // Console will print the message console.log('Server running at http://127.0.0.1:8081/'); // $ node main.js // Check http://localhost:8081/ ------------------------------------------------------------- and then used the interactive javascript environment REPL in a console: $ node When the server starts you see "Hello World" in a browser at http://localhost:8081/ Stopped the server with Ctrl-C in the launch terminal. The alternative is 'killall node' in any terminal. Using MageiaUpdate there was a problem - a message about having to remove nodejs in order to update. Abandoned MageiaUpdate and tried to force the issue using manual urpmi commands. # urpmi nodejs A requested package cannot be installed: nodejs-devel-6.17.1-6.mga6.x86_64 (due to unsatisfied openssl-devel(x86-64)) Tried to continue but ended up in the same place. Could you look into that Stig? Looks as if Herman ran into a similar problem.
CC: (none) => tarazed25Keywords: (none) => feedback
@Stig re comment 51 # urpmi openssl-devel Package lib64openssl-devel-1.0.2r-1.mga6.x86_64 is already installed
(In reply to Len Lawrence from comment #52) > @Stig re comment 51 > # urpmi openssl-devel > Package lib64openssl-devel-1.0.2r-1.mga6.x86_64 is already installed What's the output of urpmq --provides lib64openssl-devel-1.0.2r-1.mga6.x86_64 Thanks. Stig
$ urpmq --provides lib64openssl-devel-1.0.2r-1.mga6.x86_64 devel(libcrypto(64bit)) devel(libssl(64bit)) lib64openssl-devel[== 1.0.2r-1.mga6] lib64openssl-devel(x86-64)[== 1.0.2r-1.mga6] libopenssl-devel openssl-devel[== 1.0.2r-1.mga6] pkgconfig(libcrypto)[== 1.0.2r] pkgconfig(libssl)[== 1.0.2r] pkgconfig(openssl)[== 1.0.2r]
I hope Stig does not mind, I fixed the dependencies in devel package and pushed another version (release -7) to core/updates_testing. There is only a change for the requirements on the devel package, nothing else was touched.
Thanks Marc. MageiaUpdate still does not work. Sorry, the following packages cannot be selected: - nodejs-docs-6.17.1-7.mga6.noarch (due to conflicts with nodejs-6.17.1-7.mga6.x86_64) - nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(argparse)[>= 1.0.7]) Started again from the cli: .... installing nodejs-6.17.1-7.mga6.x86_64.rpm npm-3.10.10-7.mga6.x86_64.rpm nodejs-devel-6.17.1-7.mga6.x86_64.rpm from /var/cache/urpmi/rpms Installation failed: nodejs > 1:6.10.3-2.mga6 conflicts with (installed) nodejs-docs-1:6.10.3-2.mga6.noarch Tried # urpmi npm and that succeeded in installing 3 packages: 1/3: npm 2/3: nodejs 3/3: nodejs-devel Still not able to install the docs noarch package but everything else is there, so the utility tests can be run, I think. $ rpm -qa | grep nodejs nodejs-js-yaml-3.5.2-3.mga6 nodejs-sprintf-js-1.0.3-5.mga6 nodejs-6.17.1-7.mga6 nodejs-argparse-1.0.3-3.mga6 nodejs-packaging-9-1.mga6 nodejs-underscore-1.8.3-1.mga6 nodejs-lodash-3.10.1-7.mga6 nodejs-devel-6.17.1-7.mga6 nodejs-esprima-2.7.2-1.mga6 Started the server. $ node main.js Server running at http://127.0.0.1:8081/ http://localhost:8081/ in a browser responds with "Hello World". Interactive cli session works OK. Closed it with .exit. Restarted with a V8 option and saw the startup code roll by (see notes attached): $ node --print-code > var x = 22 > x * x 484 > .exit $ npm ls -g shows a tree directory for /usr/lib/node_modules. $ npm ls /data/qa/nodejs └── (empty) which shows that there are no local modules installed. $ npm search express finds all packages with the string "express" as part of their names or included in onboard documentation. $ npm install express installs module express and several other modules. $ npm ls /data/qa/nodejs └─┬ express@4.17.1 ├─┬ accepts@1.3.7 │ ├─┬ mime-types@2.1.24 │ │ └── mime-db@1.40.0 │ └── negotiator@0.6.2 ├── array-flatten@1.1.1 [...] ├─┬ type-is@1.6.18 │ └── media-typer@0.3.0 ├── utils-merge@1.0.1 └── vary@1.1.2 The directory node_modules is created in the current directory /data/qa/nodejs. $ ls helloworld.js node_modules/ problems v8-options main.js notes report.21330 $ ls node_modules accepts/ escape-html/ mime/ safer-buffer/ array-flatten/ etag/ mime-db/ send/ body-parser/ express/ mime-types/ serve-static/ bytes/ finalhandler/ ms/ setprototypeof/ content-disposition/ forwarded/ negotiator/ statuses/ content-type/ fresh/ on-finished/ toidentifier/ cookie/ http-errors/ parseurl/ type-is/ cookie-signature/ iconv-lite/ path-to-regexp/ unpipe/ debug/ inherits/ proxy-addr/ utils-merge/ depd/ ipaddr.js/ qs/ vary/ destroy/ media-typer/ range-parser/ ee-first/ merge-descriptors/ raw-body/ encodeurl/ methods/ safe-buffer/ TutorialsPoint goes on to more advanced topics like creating modules, callbacks and event-driven programming. This taster shall have to suffice just now. The updates should be OK for 64bit once the docs business is sorted out.
Created attachment 11076 [details] Exploratory notes on V8 and the nodejs disposition.
ok, thanks for your tests, we'll get docs package too. Sorry, I've to wait for the build server myself, since the package didn't compile on my host (and takes hours).
Keywords: feedback => (none)
While checking some of the links I came across a POC for "hash flooding". CVE-2017-11499 https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ Note that the updates had already been installed. $ node > const opts = require('url').parse('http://127.0.0.1:8081'); undefined > opts.auth = 1e3; // A number here triggers the bug 1000 > require('http').get(opts, res => res.pipe(process.stdout)); TypeError: "value" argument must not be a number at Function.Buffer.from (buffer.js:93:11) at new ClientRequest (_http_client.js:121:27) at Object.exports.request (http.js:33:10) at Object.exports.get (http.js:37:21) at repl:1:17 at sigintHandlersWrap (vm.js:22:35) at sigintHandlersWrap (vm.js:73:12) at ContextifyScript.Script.runInThisContext (vm.js:21:12) at REPLServer.defaultEval (repl.js:340:29) at bound (domain.js:280:14) > .exit Looks like the vulnerability has been trapped - but the occurrence of the bug may depend on whether this statement is true: "This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup." Noted in comment 7. ? Moved to another machine and installed the earlier version of nodejs. Tried the POC there and saw the same result, so maybe it does not tell us anything.
Used QArepo to retrieve the packages as per Comment 50 for i586 and got error: lib64uv1-1.16.1-1.mga6 not found in the remote repository lib64http-parser2-2.9.2-1.mga6 not found in the remote repository nodejs-6.17.1-6.mga6 not found in the remote repository npm-3.10.10-6.mga6 not found in the remote repository nodejs-docs-6.17.1-6.mga6 not found in the remote repository
Changing the lib64.... to lib still gives: nodejs-6.17.1-6.mga6 not found in the remote repository npm-3.10.10-6.mga6 not found in the remote repository nodejs-docs-6.17.1-6.mga6 not found in the remote repository
@Herman with reference to comments 60, 61: Which repository are you trying to download from - is it release or updates-testing? ...1-1 should be in release I believe (not sure about that) and the updates-testing repositories should have ...1-7. ...1-6 should have been overwritten.
It is definitely updates-testing, but I overlooked comment 55, it's not very conspicuous.
nodejs-6.17.1-7.mga6 not found in the remote repository npm-3.10.10-7.mga6 not found in the remote repository nodejs-docs-6.17.1-7.mga6 not found in the remote repository
Noted we're up to 6.17.1-8 The following 25 packages are going to be installed: - cmake-rpm-macros-3.10.2-1.mga6.i586 - dwz-0.12-2.mga6.i586 - libhttp-parser-devel-2.9.2-1.mga6.i586 - libuv-devel-1.16.1-1.mga6.i586 - nodejs-6.17.1-8.mga6.i586 - nodejs-devel-6.17.1-8.mga6.i586 - nodejs-docs-6.17.1-8.mga6.noarch - nodejs-packaging-9-1.mga6.noarch - npm-3.10.10-8.mga6.i586 - pcre-8.41-1.mga6.i586 - perl-Exporter-Tiny-0.42.0-3.mga6.noarch - perl-File-Slurp-9999.190.0-8.mga6.noarch - perl-JSON-2.900.0-5.mga6.noarch - perl-List-MoreUtils-0.415.0-1.mga6.i586 - perl-YAML-1.150.0-3.mga6.noarch - python-enchant-1.6.6-3.mga6.noarch - python-magic-5.25-5.2.mga6.noarch - python-pkg-resources-19.6.2-1.mga6.noarch - python-srpm-macros-3-4.mga6.noarch - python2-rpm-4.13.1-3.2.mga6.i586 - rpm-mageia-setup-build-2.20.1-1.mga6.i586 - rpmlint-1.5-4.mga6.noarch - rpmlint-mageia-policy-0.2.29-2.1.mga6.noarch - rust-srpm-macros-6-1.mga6.noarch - spec-helper-0.31.11-1.mga6.noarch 36MB of additional disk space will be used. Is this the correct version to test now? Will ne
CC: (none) => brtians1
MGA6-64 Plasma on Lenovo B50 No installation issues anymore with 6.17.1-8 Tested acccording Len's Comment 51. Hello world shown in browser as epected. So, should finally be OK.
Whiteboard: (none) => MGA6-64-OK
Thanks for sticking with it, guys. Validating, at last. The suggested advisory in Comment 50 sounds like it should still work, but please note that that comment was written for a previous version than the one that got the OK.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
For future reference... please try to write better security advisories, including atleast the CVEs... so something like: type: security subject: Updated nodejs packages fix security vulnerabilities CVE: - CVE-2017-1000381 - CVE-2018-7158 - CVE-2018-7159 - CVE-2018-7160 - CVE-2018-7167 - CVE-2018-12115 - CVE-2018-12116 - CVE-2018-12120 - CVE-2018-12121 - CVE-2018-12122 - CVE-2018-12123 - CVE-2019-5737 - CVE-2019-5739 src: 6: core: - nodejs-6.17.1-6.mga6 - http-parser-2.9.2-1.mga6 - libuv-1.16.1-1.mga6 description: | This update provides nodejs v6.17.1 fixing atleast the following security issues: The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer (CVE-2017-1000381) Fix for 'path' module regular expression denial of service (CVE-2018-7158) Reject spaces in HTTP Content-Length header values (CVE-2018-7159) Fix for inspector DNS rebinding vulnerability (CVE-2018-7160) buffer: Fixes Denial of Service vulnerability where calling Buffer.fill() could hang (CVE-2018-7167) buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115) Node.js: HTTP request splitting (CVE-2018-12116) Node.js: Debugger port 5858 listens on any interface by default (CVE-2018-12120) Node.js: Denial of Service with large HTTP headers (CVE-2018-12121) Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122) Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123) Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737) Node.js: Denial of Service with keep-alive HTTP connections (CVE-2019-5739) For other fixes in this update, see the referenced release logs. references: - https://nodejs.org/en/blog/release/v6.11.0/ - https://nodejs.org/en/blog/release/v6.11.1/ - https://nodejs.org/en/blog/release/v6.11.2/ - https://nodejs.org/en/blog/release/v6.11.3/ - https://nodejs.org/en/blog/release/v6.11.4/ - https://nodejs.org/en/blog/release/v6.12.0/ - https://nodejs.org/en/blog/release/v6.12.1/ - https://nodejs.org/en/blog/release/v6.12.2/ - https://nodejs.org/en/blog/release/v6.12.3/ - https://nodejs.org/en/blog/release/v6.13.0/ - https://nodejs.org/en/blog/release/v6.13.1/ - https://nodejs.org/en/blog/release/v6.14.0/ - https://nodejs.org/en/blog/release/v6.14.1/ - https://nodejs.org/en/blog/release/v6.14.2/ - https://nodejs.org/en/blog/release/v6.14.3/ - https://nodejs.org/en/blog/release/v6.15.0/ - https://nodejs.org/en/blog/release/v6.15.1/ - https://nodejs.org/en/blog/release/v6.16.0/ - https://nodejs.org/en/blog/release/v6.17.0/ - https://nodejs.org/en/blog/release/v6.17.1/
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0277.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED