Nodejs has issued an advisory today (September 23): https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/ The issues are fixed upstream in 14.20.1 and 18.9.1: https://nodejs.org/en/blog/release/v14.20.1/ https://nodejs.org/en/blog/release/v18.9.1/ Mageia 8 is also affected by CVE-2022-32213 and CVE-2022-35256.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 14.20.1 and 18.9.1
Assigning to Joseph who is the registered and active maintainer for this pkg.
Assignee: bugsquad => joequant
Hi. I just sent an email to dev mail list proposing to update to the 16 LTS branch instead. I have tested that successfully so far locally. What do you think?
CC: (none) => chb0
14 is still supported. What would be the reason?
Some applications start not to be possible to build with 14.x It works with 16.x and 18.x
Which ones?
Signal-desktop for sure. The issue being with Electron, I would not be surprised Matrix clients (like Element) will also face issues, sooner or later. 14.x still receives security patches but the recommended LTS on nodejs web site is now 16.x
We don't build any electron apps, so that doesn't affect us.
Hi. We don't provide such apps in our repo but some users do build these apps, thanks to the dev environment we provide in MGA. I am one of them. I have my own repo and I have updated nodejs for MGA8. Not sure all users will do that even if they are knowledgeable enough to compile from source.
Hi again. I took care of Cauldron, which started to be behind version wise, pending direction for MGA8.
Perhaps 16.x could go in backports. We can update 14.x for core.
ADVISORY NOTICE PROPOSAL ======================== Updated nodejs packages fix security vulnerability Description This is a security release. The following CVEs are fixed in this release: CVE-2022-32212: DNS rebinding in --inspect on macOS (High) CVE-2022-32213: bypass via obs-fold mechanic (Medium) CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium) References https://bugs.mageia.org/show_bug.cgi?id=30887 https://github.com/nodejs/node/releases/tag/v14.20.1 https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/ SRPMS 8/core nodejs-14.20.1-1.1.mga8.src.rpm PROVIDED PACKAGES: nodejs-docs-14.20.1-1.1.mga8 nodejs-libs-14.20.1-1.1.mga8 nodejs-devel-14.20.1-1.1.mga8 nodejs-14.20.1-1.1.mga8 v8-devel-8.4.371.23.1.mga8-4.1.mga8 npm-6.14.17-1.14.20.1.1.1.mga8 corepack-14.20.1-1.1.mga8 PACKAGES FOR QA TESTING ======================= x86_64: nodejs-docs-14.20.1-1.1.noarch.rpm nodejs-libs-14.20.1-1.1.mga8.x86_64.rpm nodejs-devel-14.20.1-1.1.mga8.x86_64.rpm nodejs-14.20.1-1.1.mga8.x86_64.rpm v8-devel-8.4.371.23.1.mga8-4.1.mga8.x86_64.rpm npm-6.14.17-1.14.20.1.1.1.mga8.x86_64.rpm corepack-14.20.1-1.1.mga8.x86_64.rpm i586: nodejs-docs-14.20.1-1.1.noarch.rpm nodejs-libs-14.20.1-1.1.mga8i586.rpm nodejs-devel-14.20.1-1.1.mga8i586.rpm nodejs-14.20.1-1.1.mga8i586.rpm v8-devel-8.4.371.23.1.mga8-4.1.mga8i586.rpm npm-6.14.17-1.14.20.1.1.1.mga8i586.rpm corepack-14.20.1-1.1.mga8i586.rpm
nodejs 14.20.1 ready for QA. Having 16.x in backport could be, indeed, a good idea. The only is we'll have 3 versions de maintain. So, as MGA9 is not so far away, I propose we monitor if someone ask for it.
Assignee: joequant => qa-bugs
Agreed.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Status comment: Fixed upstream in 14.20.1 and 18.9.1 => (none)
mga8, x86_64 Just tried to install the release packages but faltered on corepack because there is no /usr/bin/pwsh. Where does pwsh come from?
CC: (none) => tarazed25
Keywords: (none) => feedback
corepack is a broken package. /usr/bin/pwsh is Microsoft's powershell. It is available on some other distros, but not on Mageia. https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.2 It's distributed under the MIT license via github. https://github.com/PowerShell/PowerShell/blob/master/LICENSE.txt
CC: (none) => davidwhodgins
Either powershell can be added to fix the bug, or corepack can be excluded from the testing as it's bug is not a regression. Up to Christian to decide.
Hi. I don't remember we had this issue with corepack before. Have we?
Ok. Got it now. In fact, in all my tests, I have installed only nodejs (an npm). I have never had to install corepack. corepack is indeed provided by the nodejs package, but it is not always required and not installed together with nodejs, by default. Corepack was already broken in the previous release. Looking at Cauldron package, corepack package is not provided anymore. However, its bin files are still installed through nodejs installation. Fedora Nodejs ships the corepack package as well, but doesn't have a pwsh package in their official repo. One can get it through a tier repo, listed on MSFT site. openSUSE Nodejs ships the corepack pacakge and they have also a package for PoWerSHell. However, the pwsh package is in fact the pwsh bin found in GitHub, encapsulated into an openSUSE rpm; it is not built from source. Looking quickly on GitHub how to build from source, it looks like we'll need to do things offline with some MSFT tools before packaging. I am not sure everything can be built from source. It might the reason why openSUSE is not doing it either. My proposal: as this package was broken already (has it even worked one day?) and it is not in Cauldron anymore, I propose to remove it and to remove the bin from the installation. Let me know in case you think differently.
Source RPM: nodejs-18.7.0-2.mga9.src.rpm => nodejs-14.20.0-1.1.mga8.src.rpm
If it's usable if you do install powershell, I don't see a need to remove it.
Updated the packages without corepack. There was a problem with v8-devel. Lost the error message but it referred to a missing version of nodejs-devel. Installed the v8-devel package manually from the local repository later without any trouble. $ rpm -qa | grep nodejs nodejs-libs-14.20.1-1.1.mga8 nodejs-docs-14.20.1-1.1.mga8 nodejs-14.20.1-1.1.mga8 nodejs-packaging-23-3.mga8 nodejs-devel-14.20.1-1.1.mga8 $ rpm -q v8-devel v8-devel-8.4.371.23.1.mga8-4.1.mga8 Referred to bug 29872 for testing. Removed previous installation from the test directory: $ rm -rf node_modules $ npm ls -g displayed a tree at /usr/lib/npm@6.14.17 $ npm ls returned a stream of errors like: npm ERR! missing: http-errors@1.8.1, required by raw-body@2.4.3 npm ERR! missing: iconv-lite@0.4.24, required by raw-body@2.4.3 npm ERR! missing: unpipe@1.0.0, required by raw-body@2.4.3 npm ERR! missing: safe-buffer@5.2.1, required by content-disposition@0.5.4 $ npm install express <various packages downloaded and installed locally> npm WARN saveError ENOENT: no such file or directory, open '/home/lcl/qa/nodejs/package.json' npm WARN enoent ENOENT: no such file or directory, open '/home/lcl/qa/nodejs/package.json' npm WARN nodejs No description npm WARN nodejs No repository field. npm WARN nodejs No README data npm WARN nodejs No license field. + express@4.18.1 added 57 packages from 42 contributors and audited 57 packages in 7.307s 7 packages are looking for funding run `npm fund` for details found 0 vulnerabilities $ npm ls <lists the modules installed locally> [...] │ └── mime-types@2.1.35 deduped ├── utils-merge@1.0.1 └── vary@1.1.2 npm ERR! extraneous: ms@2.1.3 /home/lcl/qa/nodejs/node_modules/send/node_modules/ms That all looks OK. $ npm search express $ npm search express NAME | DESCRIPTION | AUTHOR | DATE express | Fast,… | =mikeal… | 2022- path-to-regexp | Express style path… | =blakeembrey… | 2022- express-handlebars | A Handlebars view… | =ericf =sahat… | 2022- ..... $ node helloworld.js Hello World! $ node main.js Server running at http://127.0.0.1:8081/ .... Tried http://localhost:8081/ in firefox - 'Hello World' displayed. Ran node interactively using $ node --print-code That worked fine for simple arithmetic. Ran the main.js in an interactive session and that worked as well. 'Hello World' appeared in the browser at port 8081. All the code involved was listed in the terminal down to assembler level. $ urpmq --whatrequires nodejs | sort -u | grep -v nodejs corepack jupyter-jupyterlab npm python3-jupyterlab ruby-execjs uglify-js1 ycssmin Leaving it there but need to reproduce the installation error. IIRC there was a problem in the v8 area on an earlier bug.
Hi There is an update on Testing. I mirrored the approach of Cauldron. The corepack package is no more there. Please, give it a try. It should work. ADVISORY NOTICE PROPOSAL => UPDATE ======================== Updated nodejs packages fix security vulnerability Description This is a security release. The following CVEs are fixed in this release: CVE-2022-32212: DNS rebinding in --inspect on macOS (High) CVE-2022-32213: bypass via obs-fold mechanic (Medium) CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium) References https://bugs.mageia.org/show_bug.cgi?id=30887 https://github.com/nodejs/node/releases/tag/v14.20.1 https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/ SRPMS 8/core nodejs-14.20.1-2.1.mga8.src.rpm PROVIDED PACKAGES: nodejs-docs-14.20.1-2.1.mga8 nodejs-libs-14.20.1-2.1.mga8 nodejs-devel-14.20.1-2.1.mga8 nodejs-14.20.1-2.1.mga8 v8-devel-8.4.371.23.1.mga8-4.1.mga8 npm-6.14.17-1.14.20.1.1.1.mga8 PACKAGES FOR QA TESTING ======================= x86_64: nodejs-docs-14.20.1-2.1.noarch.rpm nodejs-libs-14.20.1-2.1.mga8.x86_64.rpm nodejs-devel-14.20.1-2.1.mga8.x86_64.rpm nodejs-14.20.1-2.1.mga8.x86_64.rpm v8-devel-8.4.371.23.1.mga8-4.1.mga8.x86_64.rpm npm-6.14.17-1.14.20.1.1.1.mga8.x86_64.rpm i586: nodejs-docs-14.20.1-2.1.noarch.rpm nodejs-libs-14.20.1-2.1.mga8i586.rpm nodejs-devel-14.20.1-2.1.mga8i586.rpm nodejs-14.20.1-2.1.mga8i586.rpm v8-devel-8.4.371.23.1.mga8-4.1.mga8i586.rpm npm-6.14.17-1.14.20.1.1.1.mga8i586.rpm
Keywords: feedback => (none)
Sorry, forgot I had to increment as well the v8 package. Here is the right list of packages: ADVISORY NOTICE PROPOSAL => UPDATE #2 ======================== Updated nodejs packages fix security vulnerability Description This is a security release. The following CVEs are fixed in this release: CVE-2022-32212: DNS rebinding in --inspect on macOS (High) CVE-2022-32213: bypass via obs-fold mechanic (Medium) CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium) References https://bugs.mageia.org/show_bug.cgi?id=30887 https://github.com/nodejs/node/releases/tag/v14.20.1 https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/ SRPMS 8/core nodejs-14.20.1-2.1.mga8.src.rpm PROVIDED PACKAGES: nodejs-docs-14.20.1-2.1.mga8 nodejs-libs-14.20.1-2.1.mga8 nodejs-devel-14.20.1-2.1.mga8 nodejs-14.20.1-2.1.mga8 v8-devel-8.4.371.23.1.mga8-5.1.mga8 npm-6.14.17-1.14.20.1.2.1.mga8 PACKAGES FOR QA TESTING ======================= x86_64: nodejs-docs-14.20.1-2.1.noarch.rpm nodejs-libs-14.20.1-2.1.mga8.x86_64.rpm nodejs-devel-14.20.1-2.1.mga8.x86_64.rpm nodejs-14.20.1-2.1.mga8.x86_64.rpm v8-devel-8.4.371.23.1.mga8-5.1.mga8.x86_64.rpm npm-6.14.17-1.14.20.1.2.1.mga8.x86_64.rpm i586: nodejs-docs-14.20.1-2.1.noarch.rpm nodejs-libs-14.20.1-2.1.mga8i586.rpm nodejs-devel-14.20.1-2.1.mga8i586.rpm nodejs-14.20.1-2.1.mga8i586.rpm v8-devel-8.4.371.23.1.mga8-5.1.mga8i586.rpm npm-6.14.17-1.14.20.1.2.1.mga8i586.rpm
Thanks Christian. Moved to another system and started again. All went well. Repeated the tests in the same test directory and again, no problems. Finished with $ node --print-code > .load main.js > .save session > .exit During session ort 8081 available in a browser -> Hello World Server closed by the exit command. All the code was displayed on screen. The session file contained the javascript code only. This looks good.
Whiteboard: (none) => MGA8-64-OK
(In reply to David Walser from comment #19) > If it's usable if you do install powershell, I don't see a need to remove it. The thing is that I don't see how to install it as a package. Maybe the bin could be provided by powershell website, extracted from their linux tarball. The trick used in Cauldron is the corepack bin is still installed during the nodejs package install, but no anymore as a separate package. The hard dependencies to pwsh have been stripped as well. I don't know how to test this, assuming it works to get pwsh bin from their website. But, as it is the Cauldron strategy, I am assuming it should work. Or, am I overlooking something?
What you described as to what the Cauldron version does, makes sense. But yeah, presumably if you wanted to use it, you would install it from Microsoft's repo. But since we can't provide it, we do need to strip the requires on /bin/pwsh (could also add Recommends: powershell, for those that do have the repo configured).
(In reply to David Walser from comment #25) > What you described as to what the Cauldron version does, makes sense. But > yeah, presumably if you wanted to use it, you would install it from > Microsoft's repo. But since we can't provide it, we do need to strip the > requires on /bin/pwsh So, this part is done in the update I pushed earlier on. The only change is corepack is not a separate package anymore. It is bundled within nodejs package. Is it ok like this (and so, like in Cauldron)? >(could also add Recommends: powershell, for those that > do have the repo configured). The thing is, beside RedHat repo, assuming it really works with Mageia, there will be no repo to turn to for our Mageia users. The only way would be to download powershell directly from GitHub; this one might work, but I have not tested: https://github.com/PowerShell/PowerShell/releases/download/v7.2.6/powershell-7.2.6-linux-x64.tar.gz In such condition, is it still useful to add Recommends: powershell? Would it lead to an installation issue, especially with CCM, if not found?
Their repo would work with dnf, so the Recommends could still be moderately useful on Mageia, but it's not that important. The important thing is to filter out the requires on /bin/pwsh.
(In reply to David Walser from comment #27) > Their repo would work with dnf, so the Recommends could still be moderately > useful on Mageia, but it's not that important. The important thing is to > filter out the requires on /bin/pwsh. Done in the update pushed earlier on. Ok with you David? Thanks for taking the time to share your knowledge with me.
Yeah it doesn't sound like any more adjustments need to be made to the update candidate. If you want to add the recommends, I would just do that in Cauldron (and only in SVN, no need to push a new build).
(In reply to David Walser from comment #29) > Yeah it doesn't sound like any more adjustments need to be made to the > update candidate. If you want to add the recommends, I would just do that > in Cauldron (and only in SVN, no need to push a new build). There is an update to be done for Cauldron to stick to the latest release. I can do it. Just to make sure, because I have never done it, it Recomnends: powershell is added and it doesn't exist in the repo, it will not block or raise warnings during the the installation, especially with MCC?
That's correct.
Validating. Advisory in Comment 22.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0354.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED