Fedora has issued an advisory on February 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NXNVFKOF5ZYH5NIRWHKN6O6UBCHDV6FE/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
This looks OK to assign to Joseph, official packager fo it, & active.
Assignee: bugsquad => joequant
CC: (none) => joequant, mageia
fixed in mga8. I need to understand why v8 version decreased in mga9
Hi. There is nodejs-14.19.0 in MGA8 core/updates_testing, but it is not ready for QA. Is this bug report the carrier for 14.19.0 in MGA8? If yes, what is missing to assign it to QA? If not, what is the purpose of 14.19.0 in MGA8 testing, or what is the related bug report?
CC: (none) => chb0
Actually, it looks like there is a CVE fix with 14.19.1 In the 14 branch, 14.19.3 is the latest release. What about updating MGA8 with the latest version? Should I open a specific report for that?
Just update it again and use this bug. Make sure Cauldron is up to date as well.
(In reply to David Walser from comment #5) > Just update it again and use this bug. Make sure Cauldron is up to date as > well. Cauldron uses the 16 branch; no conflict. Should I proceed with MGA8 update or should I wait for Joseph's feedback, who is the official maintainer?
We still need to make sure that Cauldron has been updated for this CVE. Joseph is not responsive to security bugs or bugs for stable releases, so don't wait on him.
(In reply to David Walser from comment #7) > We still need to make sure that Cauldron has been updated for this CVE. > Joseph is not responsive to security bugs or bugs for stable releases, so > don't wait on him. Ok, got you. I will check.
Sorry, forgot to ask the following: assuming an update is required for Cauldron using the 16 branch, should I use the same bug report, as MGA8 and Cauldron are not on the same branches?
You don't need a bug for Cauldron, you can just update it. Then you can switch the version on this bug to 8 and remove MGA8TOO from the whiteboard.
and we need to update Cauldron to 16.14.2, at least, to fix this CVE.
So, I am going to update Cauldron to 16.17.0, to stay on the same branch (and we'll need to discuss whether we move to the 18 branch), and I am going to update MGA8 to 14.20.0 As there is already 14.19.0 for MGA8 in core/updates_testing, will it create a conflict when 14.20.0 will also land on core/updates_testing?
Version: Cauldron => 8Assignee: joequant => chb0Source RPM: nodejs-16.13.2-1.mga9.src.rpm => nodejs-14.18.3-2.1.mga8.src.rpmWhiteboard: MGA8TOO => (none)
CVE to be addressed: https://github.com/advisories/GHSA-x3mh-jvjw-3xwx
Summary: nodejs new security issue CVE-2021-43616 => nodejs new security issue CVE-2022-0778
No, updates_testing is just like Cauldron. It'll be replaced.
Summary: nodejs new security issue CVE-2022-0778 => nodejs new security issues CVE-2021-43616 and CVE-2022-0778
Is MGA8 really affected by CVE-2021-43616? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43616 It looks like it affects npm 7.x and 8.x nodejs 14 branch uses npm 6.x I don't see any fix for it in any of the nodejs 14 release notes (from 14.18.3 onwards)
Ok, then we'll have fixed it in Cauldron and it won't be in the Mageia 8 advisory. Please don't silently remove CVEs.
Hi. Ready for QA. ADVISORY NOTICE PROPOSAL ======================== Updated nodejs packages fix security vulnerability Description Update to version 10.20.0 fixes many bugs (along with versions 14.19.0, 14.19.1, 14.19.2 and 14.19.3) and protects against CVE-2022-0778 References https://bugs.mageia.org/show_bug.cgi?id=30078 https://github.com/nodejs/node/releases/tag/v14.19.0 https://github.com/nodejs/node/releases/tag/v14.19.1 https://github.com/nodejs/node/releases/tag/v14.19.2 https://github.com/nodejs/node/releases/tag/v14.19.3 https://github.com/nodejs/node/releases/tag/v14.20.0 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778 SRPMS 8/core nodejs-14.20.0-1.1.mga8.src.rpm PROVIDED PACKAGES: nodejs-docs-14.20.0-1.1.mga8 nodejs-libs-14.20.0-1.1.mga8 nodejs-devel-14.20.0-1.1.mga8 nodejs-14.20.0-1.1.mga8 v8-devel-8.4.371.23.1.mga8-4.1.mga8 npm-6.14.17-1.14.20.0.1.1.mga8 corepack-14.20.0-1.1.mga8 PACKAGES FOR QA TESTING ======================= x86_64: nodejs-docs-14.20.0-1.1.mga8.x86_64.rpm nodejs-libs-14.20.0-1.1.mga8.x86_64.rpm nodejs-devel-14.20.0-1.1.mga8.x86_64.rpm nodejs-14.20.0-1.1.mga8.x86_64.rpm v8-devel-8.4.371.23.1.mga8-4.1.mga8.x86_64.rpm npm-6.14.17-1.14.20.0.1.1.mga8.x86_64.rpm corepack-14.20.0-1.1.mga8.x86_64.rpm i586: nodejs-docs-14.20.0-1.1.mga8i586.rpm nodejs-libs-14.20.0-1.1.mga8i586.rpm nodejs-devel-14.20.0-1.1.mga8i586.rpm nodejs-14.20.0-1.1.mga8i586.rpm v8-devel-8.4.371.23.1.mga8-4.1.mga8i586.rpm npm-6.14.17-1.14.20.0.1.1.mga8i586.rpm corepack-14.20.0-1.1.mga8i586.rpm
Assignee: chb0 => qa-bugsCC: (none) => sysadmin-bugs
CC: sysadmin-bugs => (none)
Note the typo in the advisory (10 instead of 14).
(In reply to David Walser from comment #18) > Note the typo in the advisory (10 instead of 14). Thanks and there is also a typo in the package list. nodejs-docs is noarch... Sorry... PACKAGES FOR QA TESTING ======================= x86_64: nodejs-docs-14.20.0-1.1.mga8.noarch.rpm nodejs-libs-14.20.0-1.1.mga8.x86_64.rpm nodejs-devel-14.20.0-1.1.mga8.x86_64.rpm nodejs-14.20.0-1.1.mga8.x86_64.rpm v8-devel-8.4.371.23.1.mga8-4.1.mga8.x86_64.rpm npm-6.14.17-1.14.20.0.1.1.mga8.x86_64.rpm corepack-14.20.0-1.1.mga8.x86_64.rpm i586: nodejs-docs-14.20.0-1.1.noarch.rpm nodejs-libs-14.20.0-1.1.mga8i586.rpm nodejs-devel-14.20.0-1.1.mga8i586.rpm nodejs-14.20.0-1.1.mga8i586.rpm v8-devel-8.4.371.23.1.mga8-4.1.mga8i586.rpm npm-6.14.17-1.14.20.0.1.1.mga8i586.rpm corepack-14.20.0-1.1.mga8i586.rpm
Test done: - Update with QArepo - Reboot - Signal-desktop built with nodejs 14.18.3 still runs smoothly - Schildichat-desktop built with nodejs 14.18.3 still runs smoothly - New Signal-desktop package built with nodejs 14.20.0 -> successful - Signal-desktop runs smoothly, built and ran with nodejs 14.20.0
(In reply to christian barranco from comment #20) > Test done: > > - Update with QArepo > - Reboot > - Signal-desktop built with nodejs 14.18.3 still runs smoothly > - Schildichat-desktop built with nodejs 14.18.3 still runs smoothly > - New Signal-desktop package built with nodejs 14.20.0 -> successful > - Signal-desktop runs smoothly, built and ran with nodejs 14.20.0 Sorry... forgot to say: Plasma x86_64
CVE-2022-0778 is for openssl. Is this for CVE-2022-32212? https://www.opencve.io/cve/CVE-2022-32212
CC: (none) => davidwhodgins
Indeed, we missed the most important reference: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ So this update actually fixes CVE-2022-3221[2-5].
Summary: nodejs new security issues CVE-2021-43616 and CVE-2022-0778 => nodejs new security issues CVE-2021-43616 and CVE-2022-3221[2-5]
Validating based on comment 20. Advisory committed to svn.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => sysadmin-bugs
(In reply to David Walser from comment #23) > Indeed, we missed the most important reference: > https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ > > So this update actually fixes CVE-2022-3221[2-5]. What does bother me a bit is this is not mentioned anywhere in the nodejs release notes. Am I overlooking anything?
No. With nodejs you always have to look for the security announcements.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0294.html
Status: NEW => RESOLVEDResolution: (none) => FIXED