Ubuntu has issued an advisory on September 28:
The issue is fixed upstream in 1.39.
Ubuntu patched the same version we have.
Fedora has issued an advisory for this on October 2:
Hi, thanks for reporting this bug.
Assigned to the package maintainer.
(Please set the status to 'assigned' if you are working on it)
Patched package uploaded by Shlomi for Mageia 7.
Updated libuv packages fix security vulnerability:
The implementation of realpath in libuv before 1.39 incorrectly determined the
buffer size which can result in a buffer overflow if the resolved path is
longer than 256 bytes (CVE-2020-8252).
Updated packages in core/updates_testing: