Nodejs has issued an advisory today (January 11): https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/ The issues are fixed upstream in 14.18.3 and 16.13.2. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOCC: (none) => mageiaStatus comment: (none) => Fixed upstream in 14.18.3 and 16.13.2
Upstream release announcements: https://nodejs.org/en/blog/release/v14.18.3/ https://nodejs.org/en/blog/release/v16.13.2/
udpated in mga8/9: src: - nodejs-14.18.3-1.1.mga8
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 14.18.3 and 16.13.2 => (none)
CC: (none) => joequantAssignee: joequant => qa-bugs
nodejs-docs-14.18.3-1.1.mga8 nodejs-libs-14.18.3-1.1.mga8 nodejs-devel-14.18.3-1.1.mga8 nodejs-14.18.3-1.1.mga8 v8-devel-8.4.371.23.1.mga8-1.1.mga8 npm-6.14.15-1.14.18.3.1.1.mga8 from nodejs-14.18.3-1.1.mga8.src.rpm
Fedora has issued advisories for this today (January 20): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IVGBTAQ3N7X3RJRMPD3QZXD76V4HSOEP/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GUMNNY6AYZUDPQ3DHTM3JZST2C37ZYJB/
Hi. How to test it? I need nodejs to run Signal-desktop for instance, for instance. If Signal runs smoothly with this update, would it be a good test?
CC: (none) => chb0
Hi, if signal-desktop uses nodejs, it can indeed be a good start.
MGA8-64 The following 5 packages are going to be installed: - glibc-2.32-24.mga8.x86_64 - glibc-devel-2.32-24.mga8.x86_64 - nodejs-14.18.3-1.1.mga8.x86_64 - nodejs-libs-14.18.3-1.1.mga8.x86_64 - npm-6.14.15-1.14.18.3.1.1.mga8.x86_64 -- rebooted to pull in glibc Ran nodejs with simple multi-user game. worked fine here.
CC: (none) => brtians1
Hi Plasma x86_64 Signal-desktop runs well with this new nodejs version. In case it could help.
mga8, x64 Tried updating from the earlier packages but had to remove v8-devel from the list. The update worked and v8-devel updated later from the local repository. Does this need to be investigated again?
CC: (none) => tarazed25
Bug 29584: v8-devel-8.4.371.23.1.mga8-1.1.mga8 Bug 29872: v8-devel-8.4.371.23.1.mga8-1.1.mga8 Yes we forgot to bump the v8-devel release again.
Assignee: qa-bugs => mageia
new rpm pushed, please tell if this is OK this time :-)
Assignee: mageia => qa-bugs
nodejs-docs-14.18.3-2.1.mga8 nodejs-libs-14.18.3-2.1.mga8 nodejs-devel-14.18.3-2.1.mga8 nodejs-14.18.3-2.1.mga8 v8-devel-8.4.371.23.1.mga8-2.1.mga8 npm-6.14.15-1.14.18.3.2.1.mga8 from nodejs-14.18.3-2.1.mga8.src.rpm
mga8, x64 All packages updated fine. Running some tests later.
Hi Plasma x64. No installation issues. ``` Paquetage Version Révision Arch (média « QA Testing (64-bit) ») nodejs 14.18.3 2.1.mga8 x86_64 nodejs-libs 14.18.3 2.1.mga8 x86_64 npm 6.14.15 1.14.18.3.2.> x86_64 ``` Successfully tested with electron based applications using nodejs (like signal-desktop and schildichat-desktop).
Continuing from comment 13. $ npm ls -g <Showed a tree diagram for the system node modules> $ npm ls /home/lcl/qa/nodejs └─┬ express@4.17.1 ├─┬ accepts@1.3.7 ... │ ├── ms@2.1.1 extraneous ... ├── utils-merge@1.0.1 └── vary@1.1.2 npm ERR! extraneous: ms@2.1.1 /home/lcl/qa/nodejs/node_modules/send/node_modules/ms Ignoring that and removing the locally installed modules. $ rm -rf node_modules $ npm ls /home/lcl/qa/nodejs └── (empty) $ npm install express npm WARN saveError ENOENT: no such file or directory, open '/home/lcl/qa/nodejs/package.json' npm notice created a lockfile as package-lock.json. You should commit this file. npm WARN enoent ENOENT: no such file or directory, open '/home/lcl/qa/nodejs/package.json' npm WARN nodejs No description npm WARN nodejs No repository field. npm WARN nodejs No README data npm WARN nodejs No license field. + express@4.17.3 added 50 packages from 37 contributors and audited 50 packages in 6.458s 2 packages are looking for funding run `npm fund` for details found 0 vulnerabilities ./node_modules is populated again. $ npm ls <That came up with the ms extraneous error again> $ npm search express NAME | DESCRIPTION | AUTHOR | DATE express | Fast,… | =mikeal… | 2022-02-17 path-to-regexp | Express style path… | =blakeembrey… | 2020-09-29 cors | Node.js CORS… | =dougwilson… | 2018-11-04 express-jwt | JWT authentication… | =woloski… | 2021-08-11 [...] $ node helloworld.js Hello World! $ cat main.js var http = require("http"); http.createServer(function (request, response) { // Send the HTTP header // HTTP Status: 200 : OK // Content Type: text/plain response.writeHead(200, {'Content-Type': 'text/plain'}); // Send the response body as "Hello World" response.end('Hello World\n'); }).listen(8081); // Console will print the message console.log('Server running at http://127.0.0.1:8081/'); // $ node main.js // Check http://localhost:8081/ $ node main.js internal/modules/cjs/loader.js:905 throw err; ^ Error: Cannot find module 'ini' Require stack: - /home/lcl/qa/nodejs/main.js [...] code: 'MODULE_NOT_FOUND', requireStack: [ '/home/lcl/qa/nodejs/main.js' ] } Something has changed since this code was last run - cf. bug 21330. $ node --print-code Welcome to Node.js v14.18.3. Type ".help" for more information. > var x = 17 undefined > x*x 289 > .exit So, cli works but server does not.
Apologies. It does work. main.js had not been saved from an editor. All OK. Christian's tests are more useful. Giving this an OK for 64-bits.
Whiteboard: (none) => MGA8-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0077.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED