Several security issues found in NodeJS before versions 8.16.1 and 10.16.3 CVE-2019-95[11-18] https://github.com/nodejs/node/releases/tag/v10.16.3 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
CVE: (none) => CVE-2019-95[11-18]Summary: nodejs new security issues fixed upstream in 10.16.3 => nodejs new security issues fixed upstream in 10.16.3 CVE-2019-95[11-18]Whiteboard: (none) => MGA7TOO
Cauldron updated to version 10.16.3
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Summary: nodejs new security issues fixed upstream in 10.16.3 CVE-2019-95[11-18] => nodejs new security issues fixed upstream in 10.16.3 (CVE-2019-951[1-8])CVE: CVE-2019-95[11-18] => CVE-2019-951[1-8]
Fedora has issued an advisory for this on August 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
Source RPM: (none) => nodejs-10.15.3-8.mga7.src.rpm
Fedora has issued an advisory today (January 24): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/ The issues are fixed upstream in 10.18.0 and 12.14.0: https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/ https://nodejs.org/en/blog/year-2019/ Newest bugfix versions are 10.18.1 and 12.14.1: https://nodejs.org/en/blog/release/v10.18.1/ https://nodejs.org/en/blog/release/v12.14.1/ More security updates will be coming on February 4: https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
Summary: nodejs new security issues fixed upstream in 10.16.3 (CVE-2019-951[1-8]) => nodejs new security issues fixed upstream in 10.18.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7])CVE: CVE-2019-951[1-8] => CVE-2019-951[1-8], CVE-2019-1677[5-7]Whiteboard: (none) => MGA7TOOVersion: 7 => Cauldron
Fedora has issued an advisory on February 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RYHQQ4HSGBFYOHBZHBTUQNIJY5MBL63G/ The issues are fixed upstream in 10.19.0 and 12.15.0: https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
CC: (none) => luigiwalserSummary: nodejs new security issues fixed upstream in 10.18.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7]) => nodejs new security issues fixed upstream in 10.19.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6])
Fedora advisory for 10.19.0 from February 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UGIEYKV3F7BDQXTY3ZXURIMPJFFG3MTU/
i update nodejs to the latest 10.x release to fix all the known CVE
CC: (none) => mageia
from: nodejs-10.20.1-8.mga7 sorry, i forgot to reset release :)
Assignee: smelror => qa-bugs
We have 12.16.3 in Cauldron, so we're good there.
Version: Cauldron => 7Assignee: qa-bugs => mageiaWhiteboard: MGA7TOO => (none)
Build error in Mageia 7 is: ../src/node_http2.cc: In constructor 'node::http2::Http2Options::Http2Options(node::Environment*, node::http2::nghttp2_session_type)': ../src/node_http2.cc:156:5: error: 'nghttp2_option_set_max_outbound_ack' was not declared in this scope nghttp2_option_set_max_outbound_ack(options_, 10000); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../src/node_http2.cc:156:5: note: suggested alternative: 'nghttp2_option_set_no_auto_ping_ack' nghttp2_option_set_max_outbound_ack(options_, 10000); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This function was added to the nghttp2 API in 1.39.2: https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2 So we might as well update to the newest 1.40.0: https://github.com/nghttp2/nghttp2/releases/tag/v1.40.0 As SOS pointed out on IRC, we should probably update libuv too.
Reminder to Nicolas that you should probably update libuv too. nghttp2 update is done: nghttp2-1.40.0-1.mga7 libnghttp2_14-1.40.0-1.mga7 libnghttp2-devel-1.40.0-1.mga7 from nghttp2-1.40.0-1.mga7.src.rpm Nicolas is close on the nodejs build.
Assignee: mageia => qa-bugs
Nodejs update built. Feedback marker set because of no libuv update. nodejs-10.20.1-8.mga7 nodejs-devel-10.20.1-8.mga7 nodejs-libs-10.20.1-8.mga7 v8-devel-6.8.275.32-8.mga7 npm-6.14.4-1.10.20.1.8.mga7 nodejs-docs-10.20.1-8.mga7 from nodejs-10.20.1-8.mga7.src.rpm
Keywords: (none) => feedback
First draft of advisory. Advisory: ======================== Updated nodejs packages fix security vulnerabilities: The nodejs package has been updated to the latest version in the 10.x branch, which is 10.20.1 at this time. It fixes several security issues and other bugs. See the upstream changelog and advisories for details. Also, the nghttp2 package has been updated to the latest version, 1.40.0, as the latest nodejs requires an API that was added in nghttp2 1.39.2. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15604 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/ https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/ https://github.com/nodejs/node/blob/v10.x/doc/changelogs/CHANGELOG_V10.md https://github.com/nghttp2/nghttp2/releases/
We need to update again to nodejs 10.21.0 and nghttp2 1.41.0: CVE-2020-8174 (nodejs) CVE-2020-11080 (nghttp2) https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/ https://github.com/nodejs/node/blob/v10.x/doc/changelogs/CHANGELOG_V10.md https://nghttp2.org/blog/2020/06/02/nghttp2-v1-41-0/ https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr CVE-2020-10531 was already fixed in icu.
Keywords: feedback => (none)Summary: nodejs new security issues fixed upstream in 10.19.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6]) => nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174) and nghttp2 issue CVE-2020-11080CC: (none) => qa-bugsSource RPM: nodejs-10.15.3-8.mga7.src.rpm => nodejs-10.15.3-8.mga7.src.rpm, nghttp2-1.38.0-1.2.mga7.src.rpmAssignee: qa-bugs => mageia
I've already pushed an update to nghttp2 1.40.0 for mga7. https://bugs.mageia.org/show_bug.cgi?id=26725
nghttp2 update moved to Bug 26725.
Depends on: (none) => 26725Summary: nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174) and nghttp2 issue CVE-2020-11080 => nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174)Source RPM: nodejs-10.15.3-8.mga7.src.rpm, nghttp2-1.38.0-1.2.mga7.src.rpm => nodejs-10.15.3-8.mga7.src.rpm
Also don't forget to update libuv. I don't think nodejs specifies in their advisories which if any of the security issues are actually fixed in their bundled libuv.
libuv updated to 1.34.2 from: libuv-1.34.2-1.mga7
libuv1-1.34.2-1.mga7 libuv-devel-1.34.2-1.mga7 libuv-static-devel-1.34.2-1.mga7 from libuv-1.34.2-1.mga7.src.rpm
Blocks: (none) => 26711
Hi, There is a new security issue (CVE-2020-8252) found in NodeJS 10.x: https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/ Best regards, Nico.
CC: (none) => nicolas.salgueroSummary: nodejs new security issues fixed upstream in 10.21.0 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174) => nodejs new security issues fixed upstream in 10.22.1 (CVE-2019-951[1-8], CVE-2019-1677[5-7], CVE-2019-1560[4-6], CVE-2020-8174, CVE-2020-8252)
New issue fixed in 10.22.1: https://nodejs.org/en/blog/release/v10.22.1/ Advisory: ======================== Updated nodejs packages fix security vulnerabilities: The nodejs package has been updated to the latest version in the 10.x branch, which is 10.22.1 at this time. It fixes several security issues and other bugs. See the upstream changelog and advisories for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15604 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8174 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8252 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/ https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/ https://nodejs.org/en/blog/vulnerability/june-2020-security-releases/ https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/ https://github.com/nodejs/node/blob/v10.x/doc/changelogs/CHANGELOG_V10.md https://github.com/nghttp2/nghttp2/releases/ ======================== Updated packages in core/updates_testing: ======================== libuv1-1.34.2-1.mga7 libuv-devel-1.34.2-1.mga7 libuv-static-devel-1.34.2-1.mga7 nodejs-10.22.1-9.mga7 nodejs-devel-10.22.1-9.mga7 nodejs-libs-10.22.1-9.mga7 v8-devel-6.8.275.32-9.mga7 npm-6.14.6-1.10.22.1.9.mga7 nodejs-docs-10.22.1-9.mga7 from SRPMS: libuv-1.34.2-1.mga7.src.rpm nodejs-10.22.1-9.mga7.src.rpm
CC: qa-bugs => (none)Assignee: mageia => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref bug 21330 Comment 51 for testing $ node main.js Server running at http://127.0.0.1:8081/ point browser to http://localhost:8081/ shows "Hello World" So OK. Will attach the main.js file.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Created attachment 11889 [details] test file for "Hello World"
Keywords: (none) => advisory, validated_updateCC: (none) => ouaurelien, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0372.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2020-15095 in npm: https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html