Cauldron updated to version 10.16.3

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Fedora has issued an advisory for this on August 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/

Source RPM: (none) => nodejs-10.15.3-8.mga7.src.rpm

Fedora has issued an advisory today (January 24):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/

The issues are fixed upstream in 10.18.0 and 12.14.0:
https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/
https://nodejs.org/en/blog/year-2019/

Newest bugfix versions are 10.18.1 and 12.14.1:
https://nodejs.org/en/blog/release/v10.18.1/
https://nodejs.org/en/blog/release/v12.14.1/

More security updates will be coming on February 4:
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

Summary: nodejs new security issues fixed upstream in 10.16.3 (CVE-2019-951[1-8]) => nodejs new security issues fixed upstream in 10.18.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7])
CVE: CVE-2019-951[1-8] => CVE-2019-951[1-8], CVE-2019-1677[5-7]
Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron

Fedora has issued an advisory on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RYHQQ4HSGBFYOHBZHBTUQNIJY5MBL63G/

The issues are fixed upstream in 10.19.0 and 12.15.0:
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

CC: (none) => luigiwalser
Summary: nodejs new security issues fixed upstream in 10.18.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7]) => nodejs new security issues fixed upstream in 10.19.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6])

Fedora advisory for 10.19.0 from February 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UGIEYKV3F7BDQXTY3ZXURIMPJFFG3MTU/

i update nodejs to the latest 10.x release to fix all the known CVE

CC: (none) => mageia

from: nodejs-10.20.1-8.mga7


sorry, i forgot to reset release :)

We have 12.16.3 in Cauldron, so we're good there.

Version: Cauldron => 7
Assignee: qa-bugs => mageia
Whiteboard: MGA7TOO => (none)

Build error in Mageia 7 is:
../src/node_http2.cc: In constructor 'node::http2::Http2Options::Http2Options(node::Environment*, node::http2::nghttp2_session_type)':
../src/node_http2.cc:156:5: error: 'nghttp2_option_set_max_outbound_ack' was not declared in this scope
     nghttp2_option_set_max_outbound_ack(options_, 10000);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/node_http2.cc:156:5: note: suggested alternative: 'nghttp2_option_set_no_auto_ping_ack'
     nghttp2_option_set_max_outbound_ack(options_, 10000);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This function was added to the nghttp2 API in 1.39.2:
https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2

So we might as well update to the newest 1.40.0:
https://github.com/nghttp2/nghttp2/releases/tag/v1.40.0

As SOS pointed out on IRC, we should probably update libuv too.

Reminder to Nicolas that you should probably update libuv too.

nghttp2 update is done:
nghttp2-1.40.0-1.mga7
libnghttp2_14-1.40.0-1.mga7
libnghttp2-devel-1.40.0-1.mga7

from nghttp2-1.40.0-1.mga7.src.rpm

Nicolas is close on the nodejs build.

Nodejs update built.  Feedback marker set because of no libuv update.

nodejs-10.20.1-8.mga7
nodejs-devel-10.20.1-8.mga7
nodejs-libs-10.20.1-8.mga7
v8-devel-6.8.275.32-8.mga7
npm-6.14.4-1.10.20.1.8.mga7
nodejs-docs-10.20.1-8.mga7

from nodejs-10.20.1-8.mga7.src.rpm

Keywords: (none) => feedback

First draft of advisory.

Advisory:
========================

Updated nodejs packages fix security vulnerabilities:

The nodejs package has been updated to the latest version in the 10.x branch,
which is 10.20.1 at this time.  It fixes several security issues and other
bugs.  See the upstream changelog and advisories for details.

Also, the nghttp2 package has been updated to the latest version, 1.40.0, as
the latest nodejs requires an API that was added in nghttp2 1.39.2.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
https://github.com/nodejs/node/blob/v10.x/doc/changelogs/CHANGELOG_V10.md
https://github.com/nghttp2/nghttp2/releases/

We need to update again to nodejs 10.21.0 and nghttp2 1.41.0:
CVE-2020-8174 (nodejs) CVE-2020-11080 (nghttp2)
https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
https://github.com/nodejs/node/blob/v10.x/doc/changelogs/CHANGELOG_V10.md
https://nghttp2.org/blog/2020/06/02/nghttp2-v1-41-0/
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr

CVE-2020-10531 was already fixed in icu.

Keywords: feedback => (none)
Summary: nodejs new security issues fixed upstream in 10.19.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6]) => nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174) and nghttp2 issue CVE-2020-11080
CC: (none) => qa-bugs
Source RPM: nodejs-10.15.3-8.mga7.src.rpm => nodejs-10.15.3-8.mga7.src.rpm, nghttp2-1.38.0-1.2.mga7.src.rpm
Assignee: qa-bugs => mageia

I've already pushed an update to nghttp2 1.40.0 for mga7.

https://bugs.mageia.org/show_bug.cgi?id=26725

nghttp2 update moved to Bug 26725.

Depends on: (none) => 26725
Summary: nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174) and nghttp2 issue CVE-2020-11080 => nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174)
Source RPM: nodejs-10.15.3-8.mga7.src.rpm, nghttp2-1.38.0-1.2.mga7.src.rpm => nodejs-10.15.3-8.mga7.src.rpm

Also don't forget to update libuv.  I don't think nodejs specifies in their advisories which if any of the security issues are actually fixed in their bundled libuv.

libuv updated to 1.34.2

from: libuv-1.34.2-1.mga7

libuv1-1.34.2-1.mga7
libuv-devel-1.34.2-1.mga7
libuv-static-devel-1.34.2-1.mga7

from libuv-1.34.2-1.mga7.src.rpm

Hi,

There is a new security issue (CVE-2020-8252) found in NodeJS 10.x:
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

Best regards,

Nico.

CC: (none) => nicolas.salguero
Summary: nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174) => nodejs new security issues fixed upstream in 10.22.1 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174, CVE-2020-8252)

New issue fixed in 10.22.1:
https://nodejs.org/en/blog/release/v10.22.1/

Advisory:
========================

Updated nodejs packages fix security vulnerabilities:

The nodejs package has been updated to the latest version in the 10.x branch,
which is 10.22.1 at this time.  It fixes several security issues and other
bugs.  See the upstream changelog and advisories for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8252
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
https://github.com/nodejs/node/blob/v10.x/doc/changelogs/CHANGELOG_V10.md
https://github.com/nghttp2/nghttp2/releases/
========================

Updated packages in core/updates_testing:
========================
libuv1-1.34.2-1.mga7
libuv-devel-1.34.2-1.mga7
libuv-static-devel-1.34.2-1.mga7
nodejs-10.22.1-9.mga7
nodejs-devel-10.22.1-9.mga7
nodejs-libs-10.22.1-9.mga7
v8-devel-6.8.275.32-9.mga7
npm-6.14.6-1.10.22.1.9.mga7
nodejs-docs-10.22.1-9.mga7

from SRPMS:
libuv-1.34.2-1.mga7.src.rpm
nodejs-10.22.1-9.mga7.src.rpm

CC: qa-bugs => (none)
Assignee: mageia => qa-bugs

MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 21330 Comment 51 for testing
$ node main.js 
Server running at http://127.0.0.1:8081/
point browser to http://localhost:8081/ shows "Hello World"
So OK.
Will attach the main.js file.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Created attachment 11889 [details]
test file for "Hello World"

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0372.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

This update also fixed CVE-2020-15095 in npm:
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html