Bug 30078 - nodejs new security issues CVE-2021-43616 and CVE-2022-3221[2-5]
Summary: nodejs new security issues CVE-2021-43616 and CVE-2022-3221[2-5]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-02-22 00:05 CET by David Walser
Modified: 2022-08-25 23:22 CEST (History)
5 users (show)

See Also:
Source RPM: nodejs-14.18.3-2.1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-02-22 00:05:58 CET
Fedora has issued an advisory on February 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/

Mageia 8 is also affected.
David Walser 2022-02-22 00:06:08 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-02-22 19:54:32 CET
This looks OK to assign to Joseph, official packager fo it, & active.

Assignee: bugsquad => joequant

David Walser 2022-02-22 20:45:38 CET

CC: (none) => joequant, mageia

Comment 2 Nicolas Lécureuil 2022-02-28 22:23:06 CET
fixed in mga8. I need to understand why v8 version decreased in mga9
Comment 3 christian barranco 2022-08-19 14:15:16 CEST
Hi. 

There is nodejs-14.19.0 in MGA8 core/updates_testing, but it is not ready for QA.

Is this bug report the carrier for 14.19.0 in MGA8? If yes, what is missing to assign it to QA? If not, what is the purpose of 14.19.0 in MGA8 testing, or what is the related bug report?

CC: (none) => chb0

Comment 4 christian barranco 2022-08-19 14:34:27 CEST
Actually, it looks like there is a CVE fix with 14.19.1
In the 14 branch, 14.19.3 is the latest release. What about updating MGA8 with the latest version? Should I open a specific report for that?
Comment 5 David Walser 2022-08-19 14:52:30 CEST
Just update it again and use this bug.  Make sure Cauldron is up to date as well.
Comment 6 christian barranco 2022-08-19 14:59:57 CEST
(In reply to David Walser from comment #5)
> Just update it again and use this bug.  Make sure Cauldron is up to date as
> well.

Cauldron uses the 16 branch; no conflict.
Should I proceed with MGA8 update or should I wait for Joseph's feedback, who is the official maintainer?
Comment 7 David Walser 2022-08-19 15:02:14 CEST
We still need to make sure that Cauldron has been updated for this CVE.  Joseph is not responsive to security bugs or bugs for stable releases, so don't wait on him.
Comment 8 christian barranco 2022-08-19 15:16:11 CEST
(In reply to David Walser from comment #7)
> We still need to make sure that Cauldron has been updated for this CVE. 
> Joseph is not responsive to security bugs or bugs for stable releases, so
> don't wait on him.

Ok, got you. I will check.
Comment 9 christian barranco 2022-08-19 15:18:07 CEST
Sorry, forgot to ask the following:
assuming an update is required for Cauldron using the 16 branch, should I use the same bug report, as MGA8 and Cauldron are not on the same branches?
Comment 10 David Walser 2022-08-19 15:23:21 CEST
You don't need a bug for Cauldron, you can just update it.  Then you can switch the version on this bug to 8 and remove MGA8TOO from the whiteboard.
Comment 11 christian barranco 2022-08-19 15:24:11 CEST
and we need to update Cauldron to 16.14.2, at least, to fix this CVE.
Comment 12 christian barranco 2022-08-19 15:29:28 CEST
So, I am going to update Cauldron to 16.17.0, to stay on the same branch (and we'll need to discuss whether we move to the 18 branch), and I am going to update MGA8 to 14.20.0

As there is already 14.19.0 for MGA8 in core/updates_testing, will it create a conflict when 14.20.0 will also land on core/updates_testing?

Version: Cauldron => 8
Assignee: joequant => chb0
Source RPM: nodejs-16.13.2-1.mga9.src.rpm => nodejs-14.18.3-2.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)

Comment 13 christian barranco 2022-08-19 16:17:02 CEST
CVE to be addressed: https://github.com/advisories/GHSA-x3mh-jvjw-3xwx

Summary: nodejs new security issue CVE-2021-43616 => nodejs new security issue CVE-2022-0778

Comment 14 David Walser 2022-08-19 16:53:04 CEST
No, updates_testing is just like Cauldron.  It'll be replaced.
David Walser 2022-08-19 16:54:33 CEST

Summary: nodejs new security issue CVE-2022-0778 => nodejs new security issues CVE-2021-43616 and CVE-2022-0778

Comment 15 christian barranco 2022-08-19 22:55:29 CEST
Is MGA8 really affected by CVE-2021-43616?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43616

It looks like it affects npm 7.x and 8.x
nodejs 14 branch uses npm 6.x

I don't see any fix for it in any of the nodejs 14 release notes (from 14.18.3 onwards)
Comment 16 David Walser 2022-08-19 23:03:47 CEST
Ok, then we'll have fixed it in Cauldron and it won't be in the Mageia 8 advisory.  Please don't silently remove CVEs.
Comment 17 christian barranco 2022-08-20 10:27:06 CEST
Hi. Ready for QA.


ADVISORY NOTICE PROPOSAL
========================
Updated nodejs packages fix security vulnerability


Description
Update to version 10.20.0 fixes many bugs (along with versions 14.19.0, 14.19.1, 14.19.2 and 14.19.3) and protects against CVE-2022-0778
           
References
https://bugs.mageia.org/show_bug.cgi?id=30078
https://github.com/nodejs/node/releases/tag/v14.19.0
https://github.com/nodejs/node/releases/tag/v14.19.1
https://github.com/nodejs/node/releases/tag/v14.19.2
https://github.com/nodejs/node/releases/tag/v14.19.3
https://github.com/nodejs/node/releases/tag/v14.20.0
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778



SRPMS
8/core
nodejs-14.20.0-1.1.mga8.src.rpm


PROVIDED PACKAGES:

nodejs-docs-14.20.0-1.1.mga8
nodejs-libs-14.20.0-1.1.mga8
nodejs-devel-14.20.0-1.1.mga8
nodejs-14.20.0-1.1.mga8
v8-devel-8.4.371.23.1.mga8-4.1.mga8
npm-6.14.17-1.14.20.0.1.1.mga8
corepack-14.20.0-1.1.mga8

    
PACKAGES FOR QA TESTING
=======================
x86_64:

nodejs-docs-14.20.0-1.1.mga8.x86_64.rpm
nodejs-libs-14.20.0-1.1.mga8.x86_64.rpm
nodejs-devel-14.20.0-1.1.mga8.x86_64.rpm
nodejs-14.20.0-1.1.mga8.x86_64.rpm
v8-devel-8.4.371.23.1.mga8-4.1.mga8.x86_64.rpm
npm-6.14.17-1.14.20.0.1.1.mga8.x86_64.rpm
corepack-14.20.0-1.1.mga8.x86_64.rpm


i586:

nodejs-docs-14.20.0-1.1.mga8i586.rpm
nodejs-libs-14.20.0-1.1.mga8i586.rpm
nodejs-devel-14.20.0-1.1.mga8i586.rpm
nodejs-14.20.0-1.1.mga8i586.rpm
v8-devel-8.4.371.23.1.mga8-4.1.mga8i586.rpm
npm-6.14.17-1.14.20.0.1.1.mga8i586.rpm
corepack-14.20.0-1.1.mga8i586.rpm

Assignee: chb0 => qa-bugs
CC: (none) => sysadmin-bugs

David Walser 2022-08-20 13:08:34 CEST

CC: sysadmin-bugs => (none)

Comment 18 David Walser 2022-08-20 13:10:24 CEST
Note the typo in the advisory (10 instead of 14).
Comment 19 christian barranco 2022-08-20 22:36:55 CEST
(In reply to David Walser from comment #18)
> Note the typo in the advisory (10 instead of 14).

Thanks and there is also a typo in the package list. nodejs-docs is noarch... Sorry...


PACKAGES FOR QA TESTING
=======================
x86_64:

nodejs-docs-14.20.0-1.1.mga8.noarch.rpm
nodejs-libs-14.20.0-1.1.mga8.x86_64.rpm
nodejs-devel-14.20.0-1.1.mga8.x86_64.rpm
nodejs-14.20.0-1.1.mga8.x86_64.rpm
v8-devel-8.4.371.23.1.mga8-4.1.mga8.x86_64.rpm
npm-6.14.17-1.14.20.0.1.1.mga8.x86_64.rpm
corepack-14.20.0-1.1.mga8.x86_64.rpm


i586:

nodejs-docs-14.20.0-1.1.noarch.rpm
nodejs-libs-14.20.0-1.1.mga8i586.rpm
nodejs-devel-14.20.0-1.1.mga8i586.rpm
nodejs-14.20.0-1.1.mga8i586.rpm
v8-devel-8.4.371.23.1.mga8-4.1.mga8i586.rpm
npm-6.14.17-1.14.20.0.1.1.mga8i586.rpm
corepack-14.20.0-1.1.mga8i586.rpm
Comment 20 christian barranco 2022-08-20 23:27:42 CEST
Test done:

- Update with QArepo
- Reboot
- Signal-desktop built with nodejs 14.18.3 still runs smoothly
- Schildichat-desktop built with nodejs 14.18.3 still runs smoothly
- New Signal-desktop package built with nodejs 14.20.0 -> successful
- Signal-desktop runs smoothly, built and ran with nodejs 14.20.0
Comment 21 christian barranco 2022-08-20 23:28:11 CEST
(In reply to christian barranco from comment #20)
> Test done:
> 
> - Update with QArepo
> - Reboot
> - Signal-desktop built with nodejs 14.18.3 still runs smoothly
> - Schildichat-desktop built with nodejs 14.18.3 still runs smoothly
> - New Signal-desktop package built with nodejs 14.20.0 -> successful
> - Signal-desktop runs smoothly, built and ran with nodejs 14.20.0

Sorry... forgot to say: Plasma x86_64
Comment 22 Dave Hodgins 2022-08-24 23:55:12 CEST
CVE-2022-0778 is for openssl. Is this for CVE-2022-32212?
https://www.opencve.io/cve/CVE-2022-32212

CC: (none) => davidwhodgins

Comment 23 David Walser 2022-08-25 03:34:25 CEST
Indeed, we missed the most important reference:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/

So this update actually fixes CVE-2022-3221[2-5].

Summary: nodejs new security issues CVE-2021-43616 and CVE-2022-0778 => nodejs new security issues CVE-2021-43616 and CVE-2022-3221[2-5]

Comment 24 Dave Hodgins 2022-08-25 05:07:03 CEST
Validating based on comment 20. Advisory committed to svn.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs

Comment 25 christian barranco 2022-08-25 07:07:37 CEST
(In reply to David Walser from comment #23)
> Indeed, we missed the most important reference:
> https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
> 
> So this update actually fixes CVE-2022-3221[2-5].

What does bother me a bit is this is not mentioned anywhere in the nodejs release notes. Am I overlooking anything?
Comment 26 David Walser 2022-08-25 15:40:50 CEST
No.  With nodejs you always have to look for the security announcements.
Comment 27 Mageia Robot 2022-08-25 23:22:43 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0294.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.