Nodejs has issued an advisory yesterday (January 4): https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ The issues are fixed in 14.15.4 and 10.23.1: https://nodejs.org/en/blog/release/v14.15.4/ https://nodejs.org/en/blog/release/v10.23.1/
Severity: normal => majorCC: (none) => nicolas.salgueroWhiteboard: (none) => MGA7TOOAssignee: bugsquad => nicolas.salgueroSource RPM: (none) => nodejs-14.15.1-2.mga8.src.rpm, nodejs-10.22.1-9.mga7.src.rpmCVE: (none) => CVE-2020-8265, CVE-2020-8287
Assignee: nicolas.salguero => joequant
fixed in cauldron
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)CC: (none) => mageia
Debian has issued an advisory for this on January 6: https://www.debian.org/security/2021/dsa-4826
Fedora has issued an advisory for this on January 10: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits. (CVE-2020-8265) Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. (CVE-2020-8287) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8287 https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ https://nodejs.org/en/blog/release/v10.23.1/ https://www.debian.org/security/2021/dsa-4826 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K4I6MZNC7C7VIDQR267OL4TVCI3ZKAC4/ ======================== Updated packages in core/updates_testing: ======================== nodejs-10.23.1-10.mga7 nodejs-devel-10.23.1-10.mga7 nodejs-libs-10.23.1-10.mga7 v8-devel-6.8.275.32-10.mga7 npm-6.14.10-1.10.23.1.10.mga7 nodejs-docs-10.23.1-10.mga7 from SRPM: nodejs-10.23.1-10.mga7.src.rpm
Assignee: joequant => qa-bugsStatus: NEW => ASSIGNEDSource RPM: nodejs-14.15.1-2.mga8.src.rpm, nodejs-10.22.1-9.mga7.src.rpm => nodejs-10.22.1-9.mga7.src.rpm
MGA7 x86_64 Plasma Desktop No installation issues. Ref bug 21330 Comment 51 for testing $ node main.js Server running at http://127.0.0.1:8081/ point browser to http://localhost:8081/ shows "Hello World" So OK. From main.js attachment 11889 [details]. MGA7-64-OK Validating. Advisory pushed to SVN.
CC: (none) => ouaurelien
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA7-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0069.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED