Debian has issued an advisory on July 5: https://www.debian.org/security/2021/dsa-4936 The source was the latest Nodejs advisory: https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ Mageia 8 is also affected.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29028Whiteboard: (none) => MGA8TOO
Assigning to Stig for this SRPM.
Assignee: bugsquad => smelror
Ubuntu has issued an advisory for this today (July 7): https://ubuntu.com/security/notices/USN-5007-1
Cauldron updated to 1.41.1
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Advisory ======== libuv has been updated to fix an OOB in the punycode decoder. References ========== https://ubuntu.com/security/CVE-2021-22918 Files ===== Uploaded to core/updates_testing lib64uv-devel-1.40.0-1.1.mga8 lib64uv1-1.40.0-1.1.mga8 lib64uv-static-devel-1.40.0-1.1.mga8 from libuv-1.40.0-1.1.mga8.src.rpm
Source RPM: libuv-1.41.0-1.mga9.src.rpm => libuv-1.40.0-1.mga8.src.rpmAssignee: smelror => qa-bugs
mga8, x64 CVE-2021-22918 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921 Out of bounds read in uv__idna_toascii() function affects node.js. https://hackerone.com/reports/1209681 Hackerone provides test materials which may not be usable by QA so we shall skip any attempt to reproduce the issue. Updated the three packages. $ urpmq --whatrequires lib64uv1 cmake cmake-qtgui lib64luv1 lib64radare2_4.5.1 lib64storj0 lib64websockets-devel libstorj neovim perl-UV $ urpmq --requires-recursive nodejs | grep libuv $ This is strange. node.js no longer uses libuv apparently. The tests copied from bug 27403 now bear this out. neovim requires libluv1 which needs libuv1. Had to visit https://neovim.io/doc/user/vim_diff.html#nvim-features to confirm that nvim and neovim are the same. nvim is the command. $ strace -o neovim.trace nvim hello $ grep uv neovim.trace openat(AT_FDCWD, "/lib64/libluv.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libuv.so.1", O_RDONLY|O_CLOEXEC) = 3 The editing session worked just like vim - familiar commands and mode changes were unchanged. This all looks OK for mga8.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
type: security subject: Updated libuv packages fix security vulnerability CVE: - CVE-2021-22918 src: 8: core: - libuv-1.40.0-1.1.mga8 description: | Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo(). (CVE-2021-22918). references: - https://bugs.mageia.org/show_bug.cgi?id=29231 - https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ - https://www.debian.org/security/2021/dsa-4936 - https://ubuntu.com/security/notices/USN-5007-1
CC: (none) => ouaurelienCVE: (none) => CVE-2021-22918Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0360.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED