Bug 29872 - nodejs new security issues CVE-2021-4453[1-3] and CVE-2022-21824
Summary: nodejs new security issues CVE-2021-4453[1-3] and CVE-2022-21824
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-01-11 23:56 CET by David Walser
Modified: 2022-02-22 21:16 CET (History)
8 users (show)

See Also:
Source RPM: nodejs-16.13.1-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-01-11 23:56:15 CET
Nodejs has issued an advisory today (January 11):
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

The issues are fixed upstream in 14.18.3 and 16.13.2.

Mageia 8 is also affected.
David Walser 2022-01-11 23:56:35 CET

Whiteboard: (none) => MGA8TOO
CC: (none) => mageia
Status comment: (none) => Fixed upstream in 14.18.3 and 16.13.2

Comment 1 David Walser 2022-01-11 23:57:07 CET
Upstream release announcements:
https://nodejs.org/en/blog/release/v14.18.3/
https://nodejs.org/en/blog/release/v16.13.2/
Comment 2 Nicolas Lécureuil 2022-01-18 23:44:48 CET
udpated in mga8/9:

src:
    - nodejs-14.18.3-1.1.mga8

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 14.18.3 and 16.13.2 => (none)

Nicolas Lécureuil 2022-01-18 23:45:04 CET

CC: (none) => joequant
Assignee: joequant => qa-bugs

Comment 3 David Walser 2022-01-18 23:47:38 CET
nodejs-docs-14.18.3-1.1.mga8
nodejs-libs-14.18.3-1.1.mga8
nodejs-devel-14.18.3-1.1.mga8
nodejs-14.18.3-1.1.mga8
v8-devel-8.4.371.23.1.mga8-1.1.mga8
npm-6.14.15-1.14.18.3.1.1.mga8

from nodejs-14.18.3-1.1.mga8.src.rpm
Comment 5 christian barranco 2022-01-26 22:17:18 CET
Hi. How to test it? I need nodejs to run Signal-desktop for instance, for instance. 
If Signal runs smoothly with this update, would it be a good test?

CC: (none) => chb0

Comment 6 Nicolas Lécureuil 2022-01-26 22:19:37 CET
Hi,

if signal-desktop uses nodejs, it can indeed be a good start.
Comment 7 Brian Rockwell 2022-01-27 04:16:19 CET
MGA8-64

The following 5 packages are going to be installed:

- glibc-2.32-24.mga8.x86_64
- glibc-devel-2.32-24.mga8.x86_64
- nodejs-14.18.3-1.1.mga8.x86_64
- nodejs-libs-14.18.3-1.1.mga8.x86_64
- npm-6.14.15-1.14.18.3.1.1.mga8.x86_64

-- rebooted to pull in glibc

Ran nodejs with simple multi-user game.

worked fine here.

CC: (none) => brtians1

Comment 8 christian barranco 2022-01-27 22:31:19 CET
Hi

Plasma x86_64

Signal-desktop runs well with this new nodejs version.

In case it could help.
Comment 9 Len Lawrence 2022-01-29 17:59:14 CET
mga8, x64
Tried updating from the earlier packages but had to remove v8-devel from the list.
The update worked and v8-devel updated later from the local repository.
Does this need to be investigated again?

CC: (none) => tarazed25

Comment 10 David Walser 2022-01-29 18:02:56 CET
Bug 29584:
v8-devel-8.4.371.23.1.mga8-1.1.mga8
Bug 29872:
v8-devel-8.4.371.23.1.mga8-1.1.mga8

Yes we forgot to bump the v8-devel release again.

Assignee: qa-bugs => mageia

Comment 11 Nicolas Lécureuil 2022-02-18 11:59:41 CET
new rpm pushed, please tell if this is OK this time :-)

Assignee: mageia => qa-bugs

Comment 12 David Walser 2022-02-18 18:36:30 CET
nodejs-docs-14.18.3-2.1.mga8
nodejs-libs-14.18.3-2.1.mga8
nodejs-devel-14.18.3-2.1.mga8
nodejs-14.18.3-2.1.mga8
v8-devel-8.4.371.23.1.mga8-2.1.mga8
npm-6.14.15-1.14.18.3.2.1.mga8

from nodejs-14.18.3-2.1.mga8.src.rpm
Comment 13 Len Lawrence 2022-02-18 19:45:00 CET
mga8, x64
All packages updated fine.
Running some tests later.
Comment 14 christian barranco 2022-02-18 20:49:18 CET
Hi
Plasma x64.

No installation issues.
```
  Paquetage                      Version      Révision      Arch    
(média « QA Testing (64-bit) »)
  nodejs                         14.18.3      2.1.mga8      x86_64  
  nodejs-libs                    14.18.3      2.1.mga8      x86_64  
  npm                            6.14.15      1.14.18.3.2.> x86_64  
```

Successfully tested with electron based applications using nodejs (like signal-desktop and schildichat-desktop).
Comment 15 Len Lawrence 2022-02-18 20:57:24 CET
Continuing from comment 13.
$ npm ls -g
<Showed a tree diagram for the system  node modules>
$ npm ls
/home/lcl/qa/nodejs
└─┬ express@4.17.1
  ├─┬ accepts@1.3.7
...
  │ ├── ms@2.1.1 extraneous
...
  ├── utils-merge@1.0.1
  └── vary@1.1.2

npm ERR! extraneous: ms@2.1.1 /home/lcl/qa/nodejs/node_modules/send/node_modules/ms

Ignoring that and removing the locally installed modules.
$ rm -rf node_modules
$ npm ls
/home/lcl/qa/nodejs
└── (empty)
$ npm install express
npm WARN saveError ENOENT: no such file or directory, open '/home/lcl/qa/nodejs/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/home/lcl/qa/nodejs/package.json'
npm WARN nodejs No description
npm WARN nodejs No repository field.
npm WARN nodejs No README data
npm WARN nodejs No license field.

+ express@4.17.3
added 50 packages from 37 contributors and audited 50 packages in 6.458s

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
./node_modules is populated again.
$ npm ls
<That came up with the ms extraneous error again>
$ npm search express
NAME                      | DESCRIPTION          | AUTHOR          | DATE       
express                   | Fast,…               | =mikeal…        | 2022-02-17 
path-to-regexp            | Express style path…  | =blakeembrey…   | 2020-09-29 
cors                      | Node.js CORS…        | =dougwilson…    | 2018-11-04 
express-jwt               | JWT authentication…  | =woloski…       | 2021-08-11 
[...]

$ node helloworld.js
Hello World!

$ cat main.js
var http = require("http");

http.createServer(function (request, response) {
   // Send the HTTP header 
   // HTTP Status: 200 : OK
   // Content Type: text/plain
   response.writeHead(200, {'Content-Type': 'text/plain'});
   
   // Send the response body as "Hello World"
   response.end('Hello World\n');
}).listen(8081);

// Console will print the message
console.log('Server running at http://127.0.0.1:8081/');

// $ node main.js
// Check http://localhost:8081/

$ node main.js
internal/modules/cjs/loader.js:905
  throw err;
  ^
Error: Cannot find module 'ini'
Require stack:
- /home/lcl/qa/nodejs/main.js
[...]
  code: 'MODULE_NOT_FOUND',
  requireStack: [ '/home/lcl/qa/nodejs/main.js' ]
}

Something has changed since this code was last run - cf. bug 21330.

$ node --print-code
Welcome to Node.js v14.18.3.
Type ".help" for more information.
> var x = 17
undefined
> x*x
289
> .exit

So, cli works but server does not.
Comment 16 Len Lawrence 2022-02-18 21:02:54 CET
Apologies.  It does work.  main.js had not been saved from an editor.  All OK.
Christian's tests are more useful.  Giving this an OK for 64-bits.

Whiteboard: (none) => MGA8-64-OK

Comment 17 Thomas Andrews 2022-02-19 17:07:49 CET
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-02-22 19:46:30 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 18 Mageia Robot 2022-02-22 21:16:18 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0077.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.