Debian has issued an advisory on November 11: https://www.debian.org/security/2021/dsa-5008 The issues are fixed upstream in 6.1.9. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 6.1.9Whiteboard: (none) => MGA8TOO
fixed in cauldron + mga8. In addition i fixed 2 other CVE CVE-2021-32803, CVE-2021-32804, CVE-2021-37701 and CVE-2021-37712 src: - nodejs-tar-6.0.5-1.1.mga8
Assignee: smelror => qa-bugsCC: (none) => mageia, smelror
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Status comment: Fixed upstream in 6.1.9 => (none)
Can you provide some URL references for the other CVEs?
@Nicolas: and can yoou provide the exact rpm name please (happens on some of your updates).
CC: (none) => herman.viaene
If I don't post a package list, the rpm and srpm have the same name.
MGA8-64 Plasma on Lenovo B50 No intallation issues. No previous update on this, so googled for some simple example and found https://gist.github.com/kylemanna/6983997 Changed to reflect my config (see file attached), but run into problem: $ cd Documenten [tester8@mach5 Documenten]$ node nodejstar.js internal/modules/cjs/loader.js:905 throw err; ^ Error: Cannot find module 'tar' Require stack: - /home/tester8/Documenten/nodejstar.js at Function.Module._resolveFilename (internal/modules/cjs/loader.js:902:15) at Function.Module._load (internal/modules/cjs/loader.js:746:27) at Module.require (internal/modules/cjs/loader.js:974:19) at require (internal/modules/cjs/helpers.js:93:18) at Object.<anonymous> (/home/tester8/Documenten/nodejstar.js:2:11) at Module._compile (internal/modules/cjs/loader.js:1085:14) at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10) at Module.load (internal/modules/cjs/loader.js:950:32) at Function.Module._load (internal/modules/cjs/loader.js:790:12) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12) { code: 'MODULE_NOT_FOUND', requireStack: [ '/home/tester8/Documenten/nodejstar.js' ]
Created attachment 13025 [details] located in~/Docmuenten in my test
Herman - try this from the terminal (I ran mine as root): # npm install tar --save
CC: (none) => brtians1
@Brian I un this command both as root (first try) and as normal user. The feedback is: npm install tar --save npm WARN saveError ENOENT: no such file or directory, open '/root/package.json' npm notice created a lockfile as package-lock.json. You should commit this file. npm WARN enoent ENOENT: no such file or directory, open '/root/package.json' npm WARN root No description npm WARN root No repository field. npm WARN root No README data npm WARN root No license field. + tar@6.1.11 added 7 packages from 1 contributor and audited 7 packages in 2.296s found 0 vulnerabilities And subsequently the command fromComment 5 now reports another error. $ node nodejstar.js internal/modules/cjs/loader.js:905 throw err; ^ Error: Cannot find module 'fstream' Require stack: - /home/tester8/Documenten/nodejstar.js at Function.Module._resolveFilename (internal/modules/cjs/loader.js:902:15) at Function.Module._load (internal/modules/cjs/loader.js:746:27) at Module.require (internal/modules/cjs/loader.js:974:19) at require (internal/modules/cjs/helpers.js:93:18) at Object.<anonymous> (/home/tester8/Documenten/nodejstar.js:3:15) at Module._compile (internal/modules/cjs/loader.js:1085:14) at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10) at Module.load (internal/modules/cjs/loader.js:950:32) at Function.Module._load (internal/modules/cjs/loader.js:790:12) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12) { code: 'MODULE_NOT_FOUND', requireStack: [ '/home/tester8/Documenten/nodejstar.js' ] } Note:from my test it seems you have to run the install as the same user as the test you want to do. Running the install as root and then the test as normal user still shows "tar not found" Making a blind guess I did: $ npm install fstream --save npm WARN saveError ENOENT: no such file or directory, open '/home/tester8/Documenten/package.json' npm WARN enoent ENOENT: no such file or directory, open '/home/tester8/Documenten/package.json' npm WARN Documenten No description npm WARN Documenten No repository field. npm WARN Documenten No README data npm WARN Documenten No license field. + fstream@1.0.12 added 16 packages from 4 contributors and audited 25 packages in 1.927s 1 package is looking for funding run `npm fund` for details found 0 vulnerabilities $ node nodejstar.js /home/tester8/Documenten/nodejstar.js:9 var pack = src.pipe(tar.Pack({ noProprietary: true })); ^ TypeError: Class constructors cannot be invoked without 'new' at Object.<anonymous> (/home/tester8/Documenten/nodejstar.js:9:25) at Module._compile (internal/modules/cjs/loader.js:1085:14) at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10) at Module.load (internal/modules/cjs/loader.js:950:32) at Function.Module._load (internal/modules/cjs/loader.js:790:12) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12) at internal/main/run_main_module.js:17:47 I think I'm still missing something.
I ran mine as root. You might try that.
I believe you, but that cann't be the normal way, one should be able to use this as a normal user. Who would run thunderbird as root?????
mga8, x64 Installed nodejs-tar: 1/9: nodejs-yallist 2/9: nodejs-minipass 3/9: nodejs-fs-minipass 4/9: nodejs-minizlib 5/9: nodejs-safe-buffer 6/9: nodejs-minimist 7/9: nodejs-mkdirp 8/9: nodejs-chownr 9/9: nodejs-tar Full list of packages installed: nodejs-safe-buffer-5.1.2-3.mga8 nodejs-fs-minipass-2.0.1-2.mga8 nodejs-14.18.1-1.1.mga8 nodejs-docs-14.18.1-1.1.mga8 nodejs-tar-6.0.5-1.mga8 nodejs-minimist-1.2.5-1.mga8 nodejs-mkdirp-1.0.4-2.mga8 nodejs-minizlib-2.1.2-2.mga8 nodejs-chownr-2.0.0-1.mga8 nodejs-yallist-4.0.0-1.mga8 nodejs-packaging-23-3.mga8 nodejs-libs-14.18.1-1.1.mga8 nodejs-minipass-3.1.3-2.mga8 nodejs-devel-14.18.1-1.1.mga8 v8-devel-8.4.371.23.1.mga8-1.1.mga8 npm-6.14.15-1.14.18.1.1.1.mga8 Updated nodejs-tar. Edited the file from https://gist.github.com/kylemanna/6983997 and tried to run it: $ node create-tar.js /home/lcl/qa/nodejs/create-tar.js:9 var pack = src.pipe(tar.Pack({ noProprietary: true })); ^ TypeError: Class constructors cannot be invoked without 'new' This is what happened the last time I tried this. It differs from Herman's error.
CC: (none) => tarazed25
Meanwhile I tried to update nodejs and ran into the v8-devel problem which also happened on an earlier update. Ran the test script and hit exactly the same error with the Pack class. So I agree with Herman; there is something missing. I tried hacking the script but without knowing javascript that is a fool's errand.
My understanding is that npm is used to install nodejs programs directly from github, not from Mageia repos. After using urpmi to install the nodejs javascript programs. A usage example is shown for nodejs-tar at https://github.com/npm/node-tar However, for qa testing of nodejs packages, in most cases we just confirm the update installs cleanly over the prior version.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0103.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED