Upstream just released a series of security fixes for current nodejs versions. https://github.com/nodejs/node/releases/tag/v18.16.1 MGA8 version has been end of life for about 2 months and will not benefit from these fixes. I have been using nodejs 18 for some time on MGA8 for my own needs and without any issue. It is more the other way around as some applications don't build with nodejs 14 anymore. Hence, I propose to switch to 18.16.1 which is the new LTS version. I can take care of it if you agree.
Thanks for the report, and the work on nodejs. You have just updated to 18.16.1. > I can take care of it if you agree You being? In any case, yourself being the current active packager for nodejs, you are the authority. CC'ing Joseph who used to do it, in case has has any comment to make.
Assignee: bugsquad => chb0CC: (none) => joequant
Thanks Lewis I will wait a few days for Joseph's feedback and I will proceed, if no objection.
Upstream advisory from June 20: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases I don't know enough about nodejs to know what difference it would make, but since Mageia 9 is getting close, I don't know that it matters that 18 is an LTS branch there, and 16 is a smaller jump. Go ahead and take care of it though, as Joseph ignores Bugzilla.
Status comment: (none) => Fixed upstream in 16.20.1 and 18.16.1Summary: Upgrade nodejs to 18.16.1 for security reason => nodejs new security issues CVE-2023-3058[1-9] and CVE-2023-30590
No. Not ignoring. Just super swamped. If you want to rebuild, then please take ownership of the issue, and if you want to take over management of nodejs feel free to change the maintainer. I'm trying to reduce my packages so that I can focus on a few critical ones. Nodejs shouldn't be too bad to fix. It's the libraries that are a PITA.
CC: (none) => joequant
Hi Joseph. Up to you. I can also be a support to offload you a bit and you keep the maintainer role. However, I don't think I can take over the maintainer role if you don't sign off from it (tbc). Meanwhile, 18.16.1 is now ready for QA.
Assignee: chb0 => qa-bugs
I can sign anything you want me do. Let me know your username and I can move anything to you. My problem right now is that I am doing too much stuff (some of it involving Mageia). But anything that you can do to help me off-load would be appreciated.
(In reply to Joseph Wang from comment #6) > I can sign anything you want me do. Let me know your username > and I can move anything to you. > > My problem right now is that I am doing too much stuff (some of it involving > Mageia). But anything that you can do to help me off-load would be > appreciated. You can assign nodejs to me then: squidf
I think that you have to assign yourself as maintainer.... (base) [joe@mcdull truflation-data (main)]$ mgarepo maintdb set nodejs squidf Error: cannot set someone else as maintainer. error: command failed: ssh maintdb.mageia.org /usr/local/bin/wrapper.maintdb set nodejs squidf Feel free to go ahead.
(In reply to Joseph Wang from comment #8) > I think that you have to assign yourself as maintainer.... > > (base) [joe@mcdull truflation-data (main)]$ mgarepo maintdb set nodejs squidf > Error: cannot set someone else as maintainer. > error: command failed: ssh maintdb.mageia.org /usr/local/bin/wrapper.maintdb > set nodejs squidf > > > Feel free to go ahead. I cannot. From the wiki: "You can only do this if the package is currently maintained by nobody" But I have not found how you can remove yourself from the maintainer role or to assign it to nobody, to start with.
Joseph has to assign it to nobody, then you can assign it to yourself.
Assigned to nobody. It's free now.
Also if you want to take ownership of any of the nodejs-packages, let me know.
List of packages please.
CC: (none) => herman.viaene
nodejs-docs-18.16.1-1.mga8 npm-9.5.1-1.18.16.1.1.mga8 nodejs-18.16.1-1.mga8 nodejs-devel-18.16.1-1.mga8 nodejs-debuginfo-18.16.1-1.mga8 v8-devel-10.2.154.26.mga8-2.mga8 nodejs-libs-18.16.1-1.mga8 from nodejs-18.16.1-1.mga8.src.rpm
Status comment: Fixed upstream in 16.20.1 and 18.16.1 => (none)
Hi Sorry, I was behind with the advisory. Here it is. ADVISORY NOTICE PROPOSAL ======================== Updated nodejs packages fix security vulnerabilities, while switching to the latest LTS Description Current nodejs 14 branch in Mageia 8 is end of life and there are no more security updates. This release allows to move to the new nodejs 18 LTS branch and fixes the following CVEs: * CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High) * CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) * CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium) * CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium) * CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium) * OpenSSL Security Releases - OpenSSL security advisory 28th March. - OpenSSL security advisory 20th April. - OpenSSL security advisory 30th May * c-ares vulnerabilities: - GHSA-9g78-jv2r-p7vc - GHSA-8r8p-23f3-64c2 - GHSA-54xr-f67r-4pc4 - GHSA-x6mf-cxr9-8q6v References https://bugs.mageia.org/show_bug.cgi?id=32047 https://github.com/nodejs/node/releases/tag/v18.16.1 https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/ SRPMS 8/core nodejs-18.16.1-1.mga8.src.rpm PROVIDED PACKAGES: nodejs-docs-18.16.1-1.mga8 nodejs-libs-18.16.1-1.mga8 nodejs-devel-18.16.1-1.mga8 nodejs-18.16.1-1.mga8 v8-devel-10.2.154.26.mga8-2.mga8 npm-9.5.1-1.18.16.1.1.mga8 PACKAGES FOR QA TESTING ======================= x86_64: v8-devel-10.2.154.26.mga8-2.mga8.x86_64.rpm nodejs-devel-18.16.1-1.mga8.x86_64.rpm nodejs-18.16.1-1.mga8.x86_64.rpm npm-9.5.1-1.18.16.1.1.mga8.x86_64.rpm nodejs-docs-18.16.1-1.mga8.noarch.rpm nodejs-libs-18.16.1-1.mga8.x86_64.rpm i586: v8-devel-10.2.154.26.mga8-2.mga8.i586.rpm nodejs-devel-18.16.1-1.mga8.i586.rpm nodejs-18.16.1-1.mga8.i586.rpm npm-9.5.1-1.18.16.1.1.mga8.i586.rpm nodejs-docs-18.16.1-1.mga8.noarch.rpm nodejs-libs-18.16.1-1.mga8.i586.rpm
(In reply to Joseph Wang from comment #12) > Also if you want to take ownership of any of the nodejs-packages, let me > know. Hi Joseph. I just took the maintainer role for nodejs. I will wait before taking more. I don't want to take too much and not deliver according to expectations.
Mageia 8 Installed the 64-bit packages and updated them OK.Referred to bug 30887 for testing notes. $ npm ls -g /usr/lib ├── corepack@0.17.0 └── npm@9.5.1 $ npm ls /home/lcl/qa/nodejs └── (empty) $ npm install express added 58 packages in 5s 8 packages are looking for funding run `npm fund` for details npm notice npm notice New minor version of npm available! 9.5.1 -> 9.7.2 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.7.2 npm notice Run npm install -g npm@9.7.2 to update! npm notice $ npm ls nodejs@ /home/lcl/qa/nodejs └── express@4.18.2 Note that this differs from previous tests in that only one module is installed locally. Documentation at /usr/share/doc/nodejs; in particular: /usr/share/doc/nodejs/npm/docs/content/commands Tried creating user node_modules directory then $ npm install express5 up to date, audited 59 packages in 553ms 8 packages are looking for funding run `npm fund` for details found 0 vulnerabilities $ ls node_modules accepts/ etag/ merge-descriptors/ safe-buffer/ array-flatten/ express/ methods/ safer-buffer/ body-parser/ finalhandler/ mime/ send/ bytes/ forwarded/ mime-db/ serve-static/ call-bind/ fresh/ mime-types/ setprototypeof/ content-disposition/ function-bind/ ms/ side-channel/ content-type/ get-intrinsic/ negotiator/ statuses/ cookie/ has/ object-inspect/ toidentifier/ cookie-signature/ has-proto/ on-finished/ type-is/ debug/ has-symbols/ parseurl/ unpipe/ depd/ http-errors/ path-to-regexp/ utils-merge/ destroy/ iconv-lite/ proxy-addr/ vary/ ee-first/ inherits/ qs/ encodeurl/ ipaddr.js/ range-parser/ escape-html/ media-typer/ raw-body/ $ node main.js Server running at http://127.0.0.1:8081/ Checked http://localhost:8081 Hello World <displayed in browser> $ npm install print-code added 10 packages, and audited 69 packages in 5s 8 packages are looking for funding run `npm fund` for details found 0 vulnerabilities Started interactive session: $ node --print-code <dumps code stream to the terminal> > 1 + 1; 2 > var a = 23; > var b = 8; > a + b; 31 > a * b; 184 > .load main.js; Server running at http://127.0.0.1:8081/ undefined << "Hello World" appears in browser pointed at localhost:8081 >> > .exit $ Closes down server. $ urpmq --whatrequires nodejs | sort -u | grep -v nodejs jupyter-jupyterlab npm python3-jupyterlab ruby-execjs uglify-js1 ycssmin Well, npm works OK. Sending this on for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Created attachment 13899 [details] helloworld script for nodejs Runs a server in a terminal and shows message at localhost:8081.
Validating. Advisory in comment 15.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0226.html
Status: NEW => RESOLVEDResolution: (none) => FIXED