Fedora has issued an advisory for this on October 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GRACEATF77QULUT3WY4JG54X5ZI4OUWO/

Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => shlomif

Patched package uploaded by Shlomi for Mageia 7.

Advisory:
========================

Updated libuv packages fix security vulnerability:

The implementation of realpath in libuv before 1.39 incorrectly determined the
buffer size which can result in a buffer overflow if the resolved path is
longer than 256 bytes (CVE-2020-8252).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8252
https://ubuntu.com/security/notices/USN-4548-1
========================

Updated packages in core/updates_testing:
========================
libuv1-1.34.2-1.1.mga7
libuv-devel-1.34.2-1.1.mga7
libuv-static-devel-1.34.2-1.1.mga7

from libuv-1.34.2-1.1.mga7.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

mga7, x86_64
CVE-2020-8252
https://hackerone.com/reports/965914

PoC before updating:
$ LONG_PATH='/tmp/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/path/254B'
$ SHORT_LINK='/tmp/short'
$ mkdir -p "${LONG_PATH}"
$ ln -s "${LONG_PATH}" "${SHORT_LINK}"
$ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')"
bash: node: command not found
<Installed nodejs at this point>
$ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')"
fs.js:114
    throw err;
    ^
Error: ENOENT: no such file or directory, realpath '/tmp/short/file-not-exist'
    at Function.realpathSync.native (fs.js:1521:3)
    at [eval]:1:17
    at Script.runInThisContext (vm.js:122:20)
    at Object.runInThisContext (vm.js:329:38)
    at Object.<anonymous> ([eval]-wrapper:6:22)
    at Module._compile (internal/modules/cjs/loader.js:778:30)

Carrying on with this tomorrow.

CC: (none) => tarazed25

mga7, x86_64
CVE-2020-8252
https://hackerone.com/reports/965914

PoC before updating:
$ LONG_PATH='/tmp/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/long/path/254B'
$ SHORT_LINK='/tmp/short'
$ mkdir -p "${LONG_PATH}"
$ ln -s "${LONG_PATH}" "${SHORT_LINK}"
$ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')"
bash: node: command not found
<Installed nodejs at this point>
$ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')"
fs.js:114
    throw err;
    ^
Error: ENOENT: no such file or directory, realpath '/tmp/short/file-not-exist'
    at Function.realpathSync.native (fs.js:1521:3)
    at [eval]:1:17
    at Script.runInThisContext (vm.js:122:20)
    at Object.runInThisContext (vm.js:329:38)
    at Object.<anonymous> ([eval]-wrapper:6:22)
    at Module._compile (internal/modules/cjs/loader.js:778:30)

Carrying on with this tomorrow.

Updated the packages.
Removed /tmp/long and unlinked the now invalid short link /tmp/short@.
Repeated the PoC which produced a slightly different result.
$ node -e "fs.realpathSync.native('${SHORT_LINK}/file-not-exist')"
fs.js:114
    throw err;
    ^

Error: ENOENT: no such file or directory, realpath '/tmp/short/file-not-exist'
    at Function.realpathSync.native (fs.js:1521:3)
    at [eval]:1:17
    at Script.runInThisContext (vm.js:122:20)
    at Object.runInThisContext (vm.js:329:38)
    at Object.<anonymous> ([eval]-wrapper:6:22)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at evalScript (internal/bootstrap/node.js:590:27)
    at startup (internal/bootstrap/node.js:265:9)
    at bootstrapNodeJSCore (internal/bootstrap/node.js:623:3)

This appears to be a tidy exit but the result needs to be judged by an expert.
There is further testing discussion at https://github.com/bazelbuild/rules_nodejs/issues/1958.  Context is Darwin/MacOS.  Comments indicated that the relevant test was terminated by the OS, bypassing a stack dump.  Might be the same for Linux.

Using node.js to test libuv.
Started a server at localhost:8081.
$ strace -o node.trace node main.js
Server running at http://127.0.0.1:8081/

That shows "Hello World" in a browser.

$ cat demo.js
console.log( "Testing libuv via node.js" )
console.log( "Hopefully...." )

Ran node in another terminal:
$ node demo.js
Testing libuv via node.js
Hopefully....
$ killall node
which terminated the server.
$ grep uv node.trace
openat(AT_FDCWD, "/lib64/libuv.so.1", O_RDONLY|O_CLOEXEC) = 3

Good enough but leaving the OK in case of comments regarding the PoC test.

Realized afterwards that the cli does not need a server so ran strace on the demo script.
$ grep libuv standalone
openat(AT_FDCWD, "/lib64/libuv.so.1", O_RDONLY|O_CLOEXEC) = 3
read(20, "console.log( \"Testing libuv via "..., 74) = 74
write(17, "Testing libuv via node.js\n", 26) = 26

This should probably be pushed.

Whiteboard: (none) => MGA7-64-OK

Validating. Advisory in Comment 3.

Keywords: Triaged => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0398.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED