Hi upstream just released nodejs 14.21.1 to fix CVE-2022-43548 https://github.com/nodejs/node/releases/tag/v14.21.1 If the official maintainer doesn't have time, I can take care of it. Just address it to me in that case.
The advisory will be here: https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/ Also fixed in 19.0.1: https://nodejs.org/en/blog/release/v19.0.1/
Summary: Updated nodejs 14.21.1 fixes CVE-2022-43548 => nodejs new security issue CVE-2022-43548Status comment: (none) => Fixed upstream in 14.21.1 and 19.0.1Version: 8 => CauldronSource RPM: nodejs-14.20.1-2.1.mga8.src.rpm => nodejs-14.20.1-2.1.mga8.src.rpm, nodejs-18.9.1-2.mga9.src.rpmWhiteboard: (none) => MGA8TOO
Hi When I wrote this report there was not any update for 18.x I thought 18.x was not impacted but David’s link shows 18.x impacted and fix with 18.12.1 18.12.1 is now released but without release note yet. Anyway, should Cauldron be moved to the 19.x branch or stay on the new LTS branch which is 18.x ? I would recommend to stay on 18.x for MGA9 but what about Cauldron? Or are Cauldron and MGA9 still the same nowadays?
They're still the same until Mageia 9 is released, and yes stick with 18.x. There just wasn't a release for that yet when I posted.
Ok David. Just let me know whether it will be assigned to the official maintainer.
Feel free to take care of it. The official maintainer doesn't help with security updates.
Assignee: bugsquad => chb0
Status comment: Fixed upstream in 14.21.1 and 19.0.1 => Fixed upstream in 14.21.1 and 18.12.1
Ready for QA. ADVISORY NOTICE PROPOSAL ======================== Updated nodejs packages fix security vulnerability Description This is a security release. The following CVE is fixed in this release: * CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium) Beforehand, 14.21.0 has provided the following changes: deps: * update corepack to 0.14.2 (Node.js GitHub Bot) #44775 src: * add --openssl-shared-config option (Daniel Bevenius) #43124 References https://bugs.mageia.org/show_bug.cgi?id=31078 https://github.com/nodejs/node/releases/tag/v14.21.1 https://github.com/nodejs/node/releases/tag/v14.21.0 https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/ SRPMS 8/core nodejs-14.21.1-1.1.mga8.src.rpm PROVIDED PACKAGES: nodejs-docs-14.21.1-1.1.mga8 nodejs-libs-14.21.1-1.1.mga8 nodejs-devel-14.21.1-1.1.mga8 nodejs-14.21.1-1.1.mga8 v8-devel-8.4.371.23.1.mga8-6.1.mga8 npm-6.14.17-1.14.21.1.1.1.mga8 PACKAGES FOR QA TESTING ======================= x86_64: nodejs-docs-14.21.1-1.1.noarch.rpm nodejs-libs-14.21.1-1.1.mga8.x86_64.rpm nodejs-devel-14.21.1-1.1.mga8.x86_64.rpm nodejs-14.21.1-1.1.mga8.x86_64.rpm v8-devel-8.4.371.23.1.mga8-6.1.mga8.x86_64.rpm npm-6.14.17-1.14.21.1.1.1.mga8.x86_64.rpm i586: nodejs-docs-14.21.1-1.1.noarch.rpm nodejs-libs-14.21.1-1.1.mga8i586.rpm nodejs-devel-14.21.1-1.1.mga8i586.rpm nodejs-14.21.1-1.1.mga8i586.rpm v8-devel-8.4.371.23.1.mga8-6.1.mga8i586.rpm npm-6.14.17-1.14.21.1.1.1.mga8i586.rpm
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Assignee: chb0 => qa-bugs
Additional reference: https://nodejs.org/en/blog/release/v18.12.1/
Status comment: Fixed upstream in 14.21.1 and 18.12.1 => (none)
Trouble: 1. nodejs-docs-14.21.1-1.1.noarch.rpm not found in remote repository (using QARepo) 2. "Sorry, the following package cannot be selected: - v8-devel-8.4.371.23.1.mga8-5.1.mga8.x86_64 (due to unsatisfied nodejs-devel[== 1:14.20.1-2.1.mga8])"
CC: (none) => herman.viaene
There is a repeated typo in Comment 6, as well. "mga8i586" should be "mga8.i586"
CC: (none) => andrewsfarm
(In reply to Herman Viaene from comment #8) > Trouble: > 1. nodejs-docs-14.21.1-1.1.noarch.rpm not found in remote repository (using > QARepo) > > 2. "Sorry, the following package cannot be selected: > > - v8-devel-8.4.371.23.1.mga8-5.1.mga8.x86_64 (due to unsatisfied > nodejs-devel[== 1:14.20.1-2.1.mga8])" Hi Herman It should be v8-devel-8.4.371.23.1.mga8-6.1 and not v8-devel-8.4.371.23.1.mga8-5.1 Was …-5.1… proposed by the system or is it a typo on your side?
No, it's all Ctrl-C Ctrl-V
Hi again. Strange because the list I posted doesn’t include …-5.1… However, there is a typo on my side for nodejs-docs ; sorry for that and here is a correction: x86_84: nodejs-docs-14.21.1-1.1.mga8.noarch.rpm nodejs-libs-14.21.1-1.1.mga8.x86_64.rpm nodejs-devel-14.21.1-1.1.mga8.x86_64.rpm nodejs-14.21.1-1.1.mga8.x86_64.rpm v8-devel-8.4.371.23.1.mga8-6.1.mga8.x86_64.rpm npm-6.14.17-1.14.21.1.1.1.mga8.x86_64.rpm i586: nodejs-docs-14.21.1-1.1.mga8.noarch.rpm nodejs-libs-14.21.1-1.1.mga8.i586.rpm nodejs-devel-14.21.1-1.1.mga8.i586.rpm nodejs-14.21.1-1.1.mga8.i586.rpm v8-devel-8.4.371.23.1.mga8-6.1.mga8.i586.rpm npm-6.14.17-1.14.21.1.1.1.mga8.i586.rpm
MGA8-64 MATE on Acer Aspire 5253 No installation issues with the set from Comment 12 Ref bug 29872 for testing $ npm ls -g shows a long, long list $ npm ls /home/tester8/testupdates/nodejs └── (empty) $ npm install express npm WARN saveError ENOENT: no such file or directory, open '/home/tester8/testupdates/nodejs/package.json' npm notice created a lockfile as package-lock.json. You should commit this file. npm WARN enoent ENOENT: no such file or directory, open '/home/tester8/testupdates/nodejs/package.json' npm WARN nodejs No description npm WARN nodejs No repository field. npm WARN nodejs No README data npm WARN nodejs No license field. + express@4.18.2 added 57 packages from 42 contributors and audited 57 packages in 18.612s 7 packages are looking for funding run `npm fund` for details found 0 vulnerabilities $ npm ls /home/tester8/testupdates/nodejs └─┬ express@4.18.2 ├─┬ accepts@1.3.8 │ ├─┬ mime-types@2.1.35 │ │ └── mime-db@1.52.0 │ └── negotiator@0.6.3 ├── array-flatten@1.1.1 ├─┬ body-parser@1.20.1 │ ├── bytes@3.1.2 │ ├── content-type@1.0.4 deduped etc...... and at the end as in Len's example npm ERR! extraneous: ms@2.1.3 /home/tester8/testupdates/nodejs/node_modules/send/node_modules/ms Continuing testing $ node helloworld.js internal/modules/cjs/loader.js:905 throw err; ^ Error: Cannot find module '/home/tester8/testupdates/nodejs/helloworld.js' And indeed there is no such thing in the modules listed above , and the rest of Len's testing is abracadabra for me, so I'll not try to burn my fingers on it.
In reply to Herman, comment 13: My bad. Apologies. I should have displayed the code. e.g. $ cat helloworld.js /* Hello World! program in Node.js */ console.log("Hello World!"); The server example shows "HelloWorld" in a browser at localhost:8081/ $ cat main.js var http = require("http"); http.createServer(function (request, response) { // Send the HTTP header // HTTP Status: 200 : OK // Content Type: text/plain response.writeHead(200, {'Content-Type': 'text/plain'}); // Send the response body as "Hello World" response.end('Hello World\n'); }).listen(8081); // Console will print the message console.log('Server running at http://127.0.0.1:8081/'); // $ node main.js // Check http://localhost:8081/
CC: (none) => tarazed25
That worked, tx Len. To be complete $ node --print-code Welcome to Node.js v14.21.1. Type ".help" for more information. > var x = 17 undefined > x*x 289 > .exit Seems OK.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 6 with an additional reference in comment 7.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0422.html
Status: NEW => RESOLVEDResolution: (none) => FIXED