Bug 31078 - nodejs new security issue CVE-2022-43548
Summary: nodejs new security issue CVE-2022-43548
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-11-04 19:44 CET by christian barranco
Modified: 2022-11-13 03:27 CET (History)
5 users (show)

See Also:
Source RPM: nodejs-14.20.1-2.1.mga8.src.rpm, nodejs-18.9.1-2.mga9.src.rpm
CVE:
Status comment:


Attachments

Description christian barranco 2022-11-04 19:44:56 CET
Hi
upstream just released nodejs 14.21.1 to fix CVE-2022-43548
https://github.com/nodejs/node/releases/tag/v14.21.1

If the official maintainer doesn't have time, I can take care of it.
Just address it to me in that case.
Comment 1 David Walser 2022-11-04 21:06:47 CET
The advisory will be here:
https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/

Also fixed in 19.0.1:
https://nodejs.org/en/blog/release/v19.0.1/

Summary: Updated nodejs 14.21.1 fixes CVE-2022-43548 => nodejs new security issue CVE-2022-43548
Status comment: (none) => Fixed upstream in 14.21.1 and 19.0.1
Version: 8 => Cauldron
Source RPM: nodejs-14.20.1-2.1.mga8.src.rpm => nodejs-14.20.1-2.1.mga8.src.rpm, nodejs-18.9.1-2.mga9.src.rpm
Whiteboard: (none) => MGA8TOO

Comment 2 christian barranco 2022-11-05 07:59:13 CET
Hi
When I wrote this report there was not any update for 18.x
I thought 18.x was not impacted but David’s link shows 18.x impacted and fix with 18.12.1
18.12.1 is now released but without release note yet.
Anyway, should Cauldron be moved to the 19.x branch or stay on the new LTS branch which is 18.x ?
I would recommend to stay on 18.x for MGA9 but what about Cauldron? Or are Cauldron and MGA9 still the same nowadays?
Comment 3 David Walser 2022-11-05 10:42:34 CET
They're still the same until Mageia 9 is released, and yes stick with 18.x.  There just wasn't a release for that yet when I posted.
Comment 4 christian barranco 2022-11-05 17:12:13 CET
Ok David. Just let me know whether it will be assigned to the official maintainer.
Comment 5 David Walser 2022-11-05 17:34:40 CET
Feel free to take care of it.  The official maintainer doesn't help with security updates.
christian barranco 2022-11-05 17:36:51 CET

Assignee: bugsquad => chb0

christian barranco 2022-11-05 17:39:25 CET

Status comment: Fixed upstream in 14.21.1 and 19.0.1 => Fixed upstream in 14.21.1 and 18.12.1

Comment 6 christian barranco 2022-11-06 19:40:22 CET
Ready for QA.



ADVISORY NOTICE PROPOSAL
========================
Updated nodejs packages fix security vulnerability


Description
This is a security release.

The following CVE is fixed in this release:
* CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium)

Beforehand, 14.21.0 has provided the following changes:
deps:
* update corepack to 0.14.2 (Node.js GitHub Bot) #44775
src:
* add --openssl-shared-config option (Daniel Bevenius) #43124

           
References
https://bugs.mageia.org/show_bug.cgi?id=31078
https://github.com/nodejs/node/releases/tag/v14.21.1
https://github.com/nodejs/node/releases/tag/v14.21.0
https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/



SRPMS
8/core
nodejs-14.21.1-1.1.mga8.src.rpm


PROVIDED PACKAGES:

nodejs-docs-14.21.1-1.1.mga8
nodejs-libs-14.21.1-1.1.mga8
nodejs-devel-14.21.1-1.1.mga8
nodejs-14.21.1-1.1.mga8
v8-devel-8.4.371.23.1.mga8-6.1.mga8
npm-6.14.17-1.14.21.1.1.1.mga8

    
PACKAGES FOR QA TESTING
=======================
x86_64:

nodejs-docs-14.21.1-1.1.noarch.rpm
nodejs-libs-14.21.1-1.1.mga8.x86_64.rpm
nodejs-devel-14.21.1-1.1.mga8.x86_64.rpm
nodejs-14.21.1-1.1.mga8.x86_64.rpm
v8-devel-8.4.371.23.1.mga8-6.1.mga8.x86_64.rpm
npm-6.14.17-1.14.21.1.1.1.mga8.x86_64.rpm


i586:

nodejs-docs-14.21.1-1.1.noarch.rpm
nodejs-libs-14.21.1-1.1.mga8i586.rpm
nodejs-devel-14.21.1-1.1.mga8i586.rpm
nodejs-14.21.1-1.1.mga8i586.rpm
v8-devel-8.4.371.23.1.mga8-6.1.mga8i586.rpm
npm-6.14.17-1.14.21.1.1.1.mga8i586.rpm

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: chb0 => qa-bugs

Comment 7 David Walser 2022-11-06 20:40:07 CET
Additional reference:
https://nodejs.org/en/blog/release/v18.12.1/

Status comment: Fixed upstream in 14.21.1 and 18.12.1 => (none)

Comment 8 Herman Viaene 2022-11-07 11:32:42 CET
Trouble:
1. nodejs-docs-14.21.1-1.1.noarch.rpm not found in remote repository (using QARepo)

2. "Sorry, the following package cannot be selected:

- v8-devel-8.4.371.23.1.mga8-5.1.mga8.x86_64 (due to unsatisfied nodejs-devel[== 1:14.20.1-2.1.mga8])"

CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2022-11-07 13:54:39 CET
There is a repeated typo in Comment 6, as well. 

"mga8i586" should be "mga8.i586"

CC: (none) => andrewsfarm

Comment 10 christian barranco 2022-11-07 14:39:24 CET
(In reply to Herman Viaene from comment #8)
> Trouble:
> 1. nodejs-docs-14.21.1-1.1.noarch.rpm not found in remote repository (using
> QARepo)
> 
> 2. "Sorry, the following package cannot be selected:
> 
> - v8-devel-8.4.371.23.1.mga8-5.1.mga8.x86_64 (due to unsatisfied
> nodejs-devel[== 1:14.20.1-2.1.mga8])"

Hi Herman
It should be v8-devel-8.4.371.23.1.mga8-6.1 and not v8-devel-8.4.371.23.1.mga8-5.1
Was …-5.1… proposed by the system or is it a typo on your side?
Comment 11 Herman Viaene 2022-11-07 14:47:55 CET
No, it's all Ctrl-C Ctrl-V
Comment 12 christian barranco 2022-11-07 15:07:38 CET
Hi again. 
Strange because the list I posted doesn’t include …-5.1…
However, there is a typo on my side for nodejs-docs ; sorry for that and here is a correction:

x86_84:
nodejs-docs-14.21.1-1.1.mga8.noarch.rpm
nodejs-libs-14.21.1-1.1.mga8.x86_64.rpm
nodejs-devel-14.21.1-1.1.mga8.x86_64.rpm
nodejs-14.21.1-1.1.mga8.x86_64.rpm
v8-devel-8.4.371.23.1.mga8-6.1.mga8.x86_64.rpm
npm-6.14.17-1.14.21.1.1.1.mga8.x86_64.rpm

i586:
nodejs-docs-14.21.1-1.1.mga8.noarch.rpm
nodejs-libs-14.21.1-1.1.mga8.i586.rpm
nodejs-devel-14.21.1-1.1.mga8.i586.rpm
nodejs-14.21.1-1.1.mga8.i586.rpm
v8-devel-8.4.371.23.1.mga8-6.1.mga8.i586.rpm
npm-6.14.17-1.14.21.1.1.1.mga8.i586.rpm
Comment 13 Herman Viaene 2022-11-07 16:13:10 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues with the set from Comment 12
Ref bug 29872 for  testing
$ npm ls -g
shows a long, long list
$ npm ls
/home/tester8/testupdates/nodejs
└── (empty)
$ npm install express
npm WARN saveError ENOENT: no such file or directory, open '/home/tester8/testupdates/nodejs/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/home/tester8/testupdates/nodejs/package.json'
npm WARN nodejs No description
npm WARN nodejs No repository field.
npm WARN nodejs No README data
npm WARN nodejs No license field.

+ express@4.18.2
added 57 packages from 42 contributors and audited 57 packages in 18.612s

7 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ npm ls
/home/tester8/testupdates/nodejs
└─┬ express@4.18.2
  ├─┬ accepts@1.3.8
  │ ├─┬ mime-types@2.1.35
  │ │ └── mime-db@1.52.0
  │ └── negotiator@0.6.3
  ├── array-flatten@1.1.1
  ├─┬ body-parser@1.20.1
  │ ├── bytes@3.1.2
  │ ├── content-type@1.0.4 deduped
etc......
and at the end as in Len's example
npm ERR! extraneous: ms@2.1.3 /home/tester8/testupdates/nodejs/node_modules/send/node_modules/ms

Continuing testing
$ node helloworld.js
internal/modules/cjs/loader.js:905
  throw err;
  ^

Error: Cannot find module '/home/tester8/testupdates/nodejs/helloworld.js'

And indeed there is no such thing in the modules listed above , and the rest of Len's testing is abracadabra for me, so I'll not try to burn my fingers on it.
Comment 14 Len Lawrence 2022-11-08 10:37:27 CET
In reply to Herman, comment 13:
My bad.  Apologies.  I should have displayed the code.
e.g.
$ cat helloworld.js
/* Hello World! program in Node.js */
console.log("Hello World!");

The server example shows "HelloWorld" in a browser at localhost:8081/
$ cat main.js
var http = require("http");

http.createServer(function (request, response) {
   // Send the HTTP header 
   // HTTP Status: 200 : OK
   // Content Type: text/plain
   response.writeHead(200, {'Content-Type': 'text/plain'});
   
   // Send the response body as "Hello World"
   response.end('Hello World\n');
}).listen(8081);

// Console will print the message
console.log('Server running at http://127.0.0.1:8081/');

// $ node main.js
// Check http://localhost:8081/

CC: (none) => tarazed25

Comment 15 Herman Viaene 2022-11-11 11:54:50 CET
That worked, tx Len.
To be complete
$ node --print-code
Welcome to Node.js v14.21.1.
Type ".help" for more information.
> var x = 17
undefined
> x*x
289
> .exit
Seems OK.

Whiteboard: (none) => MGA8-64-OK

Comment 16 Thomas Andrews 2022-11-12 00:06:47 CET
Validating. Advisory in Comment 6 with an additional reference in comment 7.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-13 00:25:12 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 17 Mageia Robot 2022-11-13 03:27:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0422.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.