Node.js will be releasing new versions tomorrow (February 16): https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/ The next 18.x I guess will be either 18.14.1 or 18.15.0. There was also an 18.14.0 bugfix release since our last update: https://nodejs.org/en/blog/release/v18.14.0/ Mageia 8 is also affected as the 14.x branch will also receive an update.
Whiteboard: (none) => MGA8TOO
Christian looks to be the active maintainer for nodejs, so assigning this to you. lavache indeed!
Assignee: bugsquad => chb0
Summary: nodejs new security issues fixed upstream in 18.15.0 => nodejs new security issues fixed upstream in 18.14.1
Hi For the record: MGA9 -> 18.14.1 MGA8 -> 14.21.3
The blog post in Comment 0 has been updated with the CVEs. CVE-2023-23918 and CVE-2023-23920 affect Mageia 8. Release announcements: https://nodejs.org/en/blog/release/v14.21.3/ https://nodejs.org/en/blog/release/v18.14.1/
Summary: nodejs new security issues fixed upstream in 18.14.1 => nodejs new security issues fixed upstream in 18.14.1 (CVE-2023-2391[89], CVE-2023-23936, CVE-2023-24807, CVE-2023-23920)
Ready for QA
Summary: nodejs new security issues fixed upstream in 18.14.1 (CVE-2023-2391[89], CVE-2023-23936, CVE-2023-24807, CVE-2023-23920) => nodejs new security issues fixed upstream in 18.14.1 and 14.21.3 (CVE-2023-2391[89], CVE-2023-23936, CVE-2023-24807, CVE-2023-23920)
Source RPM: nodejs-18.13.0-1.mga9.src.rpm => nodejs-14.21.1-1.1.mga8.src.rpmWhiteboard: MGA8TOO => (none)
Version: Cauldron => 8
ADVISORY NOTICE PROPOSAL ======================== Updated nodejs packages fix security vulnerability Description The following CVEs are fixed in this release: CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High) CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low) More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post. This security release includes OpenSSL security updates as outlined in the recent OpenSSL security advisory. This security release also includes an npm update for Node.js 14 to address a number of CVEs which either do not affect Node.js or are low severity in the context of Node.js. You can get more details for the individual CVEs in nodejs-dependency-vuln-assessments. References https://bugs.mageia.org/show_bug.cgi?id=31559 https://github.com/nodejs/node/releases/tag/v14.21.3 https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/ https://www.openssl.org/news/secadv/20230207.txt SRPMS 8/core nodejs-14.21.3-1.mga8.src.rpm PROVIDED PACKAGES: nodejs-docs-14.21.3-1.mga8 nodejs-libs-14.21.3-1.mga8 nodejs-devel-14.21.3-1.mga8 nodejs-14.21.3-1.mga8 v8-devel-8.4.371.23.1.mga8-7.mga8 npm-6.14.17-1.14.21.3.1.mga8 PACKAGES FOR QA TESTING ======================= x86_64: nodejs-docs-14.21.3-1.noarch.rpm nodejs-libs-14.21.3-1.mga8.x86_64.rpm nodejs-devel-14.21.3-1.mga8.x86_64.rpm nodejs-14.21.3-1.mga8.x86_64.rpm v8-devel-8.4.371.23.1.mga8-7.mga8.x86_64.rpm npm-6.14.18-1.14.21.3.1.mga8.x86_64.rpm i586: nodejs-docs-14.21.3-1.noarch.rpm nodejs-libs-14.21.3-1.mga8i586.rpm nodejs-devel-14.21.3-1.mga8i586.rpm nodejs-14.21.3-1.mga8i586.rpm v8-devel-8.4.371.23.1.mga8-7.mga8i586.rpm npm-6.14.18-1.14.21.3.1.mga8i586.rpm
Assignee: chb0 => qa-bugs
CC: (none) => chb0
Using QARepo: nodejs-docs-14.21.3-1.noarch.rpm not found in the remote repository v8-devel-8.4.371.23.1.mga8-7.mga8.x86_64.rpm not found in the remote repository
CC: (none) => herman.viaene
Sorry, spelling mistakes... Should be better with: PACKAGES FOR QA TESTING ======================= x86_64: nodejs-docs-14.21.3-1.mga8.noarch.rpm nodejs-libs-14.21.3-1.mga8.x86_64.rpm nodejs-devel-14.21.3-1.mga8.x86_64.rpm nodejs-14.21.3-1.mga8.x86_64.rpm v8-devel-8.4.371.23.mga8-7.mga8.x86_64.rpm npm-6.14.18-1.14.21.3.1.mga8.x86_64.rpm i586: nodejs-docs-14.21.3-1.mga8.noarch.rpm nodejs-libs-14.21.3-1.mga8.i586.rpm nodejs-devel-14.21.3-1.mga8.i586.rpm nodejs-14.21.3-1.mga8.i586.rpm v8-devel-8.4.371.23.mga8-7.mga8.i586.rpm npm-6.14.18-1.14.21.3.1.mga8.i586.rpm
mageia8, x86_64 Prior to updating I installed most of the packages. $ sudo urpmi v8-devel The following package cannot be installed because it depends on packages that are older than the installed ones: v8-devel-8.4.371.23.1.mga8-6.1.mga8 Continue installation anyway? (Y/n) This is looking familiar. I forget how it was sorted out before. $ rpm -qa | grep nodejs nodejs-chownr-2.0.0-1.mga8 nodejs-tar-6.0.5-1.1.mga8 nodejs-devel-14.21.3-1.mga8 nodejs-minipass-3.1.3-2.mga8 nodejs-packaging-23-3.mga8 nodejs-safe-buffer-5.1.2-3.mga8 nodejs-yallist-4.0.0-1.mga8 nodejs-libs-14.21.3-1.mga8 nodejs-fs-minipass-2.0.1-2.mga8 nodejs-docs-14.21.3-1.mga8 nodejs-minizlib-2.1.2-2.mga8 nodejs-14.21.3-1.mga8 nodejs-mkdirp-1.0.4-2.mga8 nodejs-minimist-1.2.7-1.mga8 No v8 packages on the system.
CC: (none) => tarazed25
Assignee: qa-bugs => chb0
Hi. The subrel used for the previous release has tricked me... There is an update now in core/updates_testing Ready for QA! PACKAGES FOR QA TESTING ======================= x86_64: v8-devel-8.4.371.23.1.mga8-7.1.mga8.x86_64.rpm nodejs-devel-14.21.3-2.1.mga8.x86_64.rpm nodejs-14.21.3-2.1.mga8.x86_64.rpm npm-6.14.18-1.14.21.3.2.1.mga8.x86_64.rpm nodejs-docs-14.21.3-2.1.mga8.noarch.rpm nodejs-libs-14.21.3-2.1.mga8.x86_64.rpm i586: v8-devel-8.4.371.23.1.mga8-7.1.mga8.i586.rpm nodejs-devel-14.21.3-2.1.mga8.i586.rpm nodejs-14.21.3-2.1.mga8.i586.rpm npm-6.14.18-1.14.21.3.2.1.mga8.i586.rpm nodejs-docs-14.21.3-2.1.mga8.noarch.rpm nodejs-libs-14.21.3-2.1.mga8.i586.rpm
Yes, it works now. All packages updated fine.
Referred to previous bug 30887 for testing. Removed the previous modules. $ npm ls -g /usr/lib ├── corepack@0.15.1 └─┬ npm@6.14.18 ├── abbrev@1.1.1 ├── ansicolors@0.3.2 [...] $ npm ls displayed a stream of error messages of this type: npm ERR! missing: mime-types@2.1.35, required by type-is@1.6.18 $ npm install express A number of warnings and error messages were displayed, ending up with: + express@4.18.2 added 57 packages from 42 contributors and audited 57 packages in 7.46s 7 packages are looking for funding run `npm fund` for details found 0 vulnerabilities $ npm ls displayed a tree containing the newly installed modules. $ npm search express NAME | DESCRIPTION | AUTHOR | DATE express | Fast,… | =mikeal… | 2022-10-08 express-handlebars | A Handlebars view… | =ericf =sahat… | 2023-01-25 cors | Node.js CORS… | =dougwilson… | 2018-11-04 path-to-regexp | Express style path… | =blakeembrey… | 2022-05-06 connect-redis | Redis session store… | =tjholowaychuk… | 2023-02-28 .... $ node helloworld.js Hello World! $ node main.js Server running at http://127.0.0.1:8081/ 'Hello World' showed in a browser at that URL. The REPL works for simple arithmetic: $ node --print-code Welcome to Node.js v14.21.3. Type ".help" for more information. > a = 4 4 > b=22.3 22.3 > a*b 89.2 Tried exit to leave - response was a code listing : [...] 0xcee1e248fdb deopt inlining id (-1) 0xcee1e248fdb deopt reason ((unknown)) 0xcee1e248fdb deopt index 0xcee1e248fe3 runtime entry (lazy deoptimization bailout) --- End code --- it Uncaught ReferenceError: exit is not defined > > .load main.js var http = require("http"); http.createServer(function (request, response) { // Send the HTTP header // HTTP Status: 200 : OK // Content Type: text/plain response.writeHead(200, {'Content-Type': 'text/plain'}); // Send the response body as "Hello World" response.end('Hello World\n'); }).listen(8081); [...] <During this session port 8081 opened in a browser displaying 'Hello World'> > .save session Session saved to: session > .exit $ cat session repeated all of the above except the error report for 'exit'. $ urpmq --whatrequires nodejs | sort -u | grep -v nodejs jupyter-jupyterlab npm python3-jupyterlab ruby-execjs uglify-js1 ycssmin Leaving it there. npm has been running fine. There appears to be a ruby binding for javascript - might investigate that sometime. Giving this the green light.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0078.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED