https://github.com/nodejs/node/releases/tag/v18.17.1
Blocks: (none) => 28809
Whiteboard: (none) => MGA8TOO
ADVISORY NOTICE PROPOSAL ======================== Updated nodejs 18.17.1 packages fix security vulnerabilities Description This is a security release. As well, it fixes v8 headers detection (mga#28809) The following CVEs are fixed in this release: CVE-2023-32002: Policies can be bypassed via Module._load (High) CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium) CVE-2023-32559: Policies can be bypassed via process.binding (Medium) OpenSSL Security Releases OpenSSL security advisory 14th July. OpenSSL security advisory 19th July. OpenSSL security advisory 31st July More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post. References https://bugs.mageia.org/show_bug.cgi?id=32176 https://bugs.mageia.org/show_bug.cgi?id=28809 https://github.com/nodejs/node/releases/tag/v18.17.1 https://github.com/nodejs/node/releases/tag/v18.17.0 SRPMS for MGA8 8/core nodejs-18.17.1-1.mga8.src.rpm SRPMS for MGA9 9/core nodejs-18.17.1-1.mga9.src.rpm PROVIDED PACKAGES FOR MGA8: nodejs-docs-18.17.1-1.mga8 nodejs-libs-18.17.1-1.mga8 nodejs-devel-18.17.1-1.mga8 nodejs-18.17.1-1.mga8 v8-devel-10.2.154.26.mga8-3.mga8 npm-9.6.7-1.18.17.1.1.mga8 PROVIDED PACKAGES FOR MGA9: nodejs-docs-18.17.1-1.mga9 nodejs-libs-18.17.1-1.mga9 nodejs-devel-18.17.1-1.mga9 nodejs-18.17.1-1.mga9 v8-devel-10.2.154.26.mga9-3.mga9 npm-9.6.7-1.18.17.1.1.mga9 PACKAGES FOR QA TESTING ======================= MGA8 x86_64: v8-devel-10.2.154.26.mga8-3.mga8.x86_64.rpm nodejs-devel-18.17.1-1.mga8.x86_64.rpm nodejs-18.17.1-1.mga8.x86_64.rpm npm-9.6.7-1.18.17.1.1.mga8.x86_64.rpm nodejs-docs-18.17.1-1.mga8.noarch.rpm nodejs-libs-18.17.1-1.mga8.x86_64.rpm MGA8 i586: v8-devel-10.2.154.26.mga8-3.mga8.i586.rpm nodejs-devel-18.17.1-1.mga8.i586.rpm nodejs-18.17.1-1.mga8.i586.rpm npm-9.6.7-1.18.17.1.1.mga8.i586.rpm nodejs-docs-18.17.1-1.mga8.noarch.rpm nodejs-libs-18.17.1-1.mga8.i586.rpm MGA9 x86_64: v8-devel-10.2.154.26.mga9-3.mga9.x86_64.rpm nodejs-devel-18.17.1-1.mga9.x86_64.rpm nodejs-18.17.1-1.mga9.x86_64.rpm npm-9.6.7-1.18.17.1.1.mga9.x86_64.rpm nodejs-docs-18.17.1-1.mga9.noarch.rpm nodejs-libs-18.17.1-1.mga9.x86_64.rpm MGA9 i586: v8-devel-10.2.154.26.mga9-3.mga9.i586.rpm nodejs-devel-18.17.1-1.mga9.i586.rpm nodejs-18.17.1-1.mga9.i586.rpm npm-9.6.7-1.18.17.1.1.mga9.i586.rpm nodejs-docs-18.17.1-1.mga9.noarch.rpm nodejs-libs-18.17.1-1.mga9.i586.rpm
Ready for QA!
Assignee: chb0 => qa-bugs
Status: NEW => ASSIGNED
I can't get to blog.nodejs.org because of SSL_ERROR_RX_RECORD_TOO_LONG, but there should also be an upstream advisory there to include in the references.
(In reply to David Walser from comment #3) > I can't get to blog.nodejs.org because of SSL_ERROR_RX_RECORD_TOO_LONG, but > there should also be an upstream advisory there to include in the references. This one? https://nodejs.org/en/blog/vulnerability/august-2023-security-releases
Yep.
Severity: normal => critical
MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 32047 for testing: $ npm ls -g /usr/lib ├── corepack@0.18.0 └── npm@9.6.7 $ npm ls /home/tester8/Documents/testnodejs └── (empty) $ npm install express added 58 packages in 15s 8 packages are looking for funding run `npm fund` for details npm notice npm notice New minor version of npm available! 9.6.7 -> 9.8.1 npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.8.1 npm notice Run npm install -g npm@9.8.1 to update! npm notice $ npm ls testnodejs@ /home/tester8/Documents/testnodejs └── express@4.18.2 $ npm install express5 npm WARN deprecated string-similarity@4.0.4: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. added 47 packages, and audited 106 packages in 22s 11 packages are looking for funding run `npm fund` for details found 0 vulnerabilities $ ls node_modules abstract-logging/ fast-decode-uri-component/ lru-cache/ reusify/ accepts/ fast-deep-equal/ media-typer/ rfdc/ ajv/ '@fastify'/ merge-descriptors/ safe-buffer/ archy/ fastify/ methods/ safer-buffer/ array-flatten/ fast-json-stable-stringify/ mime/ safe-regex2/ atomic-sleep/ fast-json-stringify/ mime-db/ secure-json-parse/ avvio/ fastq/ mime-types/ semver/ body-parser/ fast-redact/ ms/ semver-store/ bytes/ fast-safe-stringify/ negotiator/ send/ call-bind/ finalhandler/ object-inspect/ serve-static/ content-disposition/ find-my-way/ on-finished/ set-cookie-parser/ content-type/ flatstr/ parseurl/ setprototypeof/ cookie/ forwarded/ path-to-regexp/ side-channel/ cookie-signature/ fresh/ pino/ sonic-boom/ debug/ function-bind/ pino-std-serializers/ statuses/ deepmerge/ get-intrinsic/ process-warning/ string-similarity/ depd/ has/ proxy-addr/ tiny-lru/ destroy/ has-proto/ punycode/ toidentifier/ ee-first/ has-symbols/ qs/ type-is/ encodeurl/ http-errors/ queue-microtask/ unpipe/ escape-html/ iconv-lite/ quick-format-unescaped/ uri-js/ etag/ inherits/ range-parser/ utils-merge/ express/ ipaddr.js/ raw-body/ vary/ express5/ json-schema-traverse/ require-from-string/ yallist/ fast-content-type-parse/ light-my-request/ ret/ [tester8@mach7 testnodejs]$ node main.js Different from before, I get no feedback on the CLI, but Checked http://localhost:8081 Hello World <displayed in browser> $ npm install print-code added 10 packages, and audited 116 packages in 9s 11 packages are looking for funding run `npm fund` for details found 0 vulnerabilities $ node --print-code <dumps code stream to the terminal> and from here I deviate from bug 32047 in a way the after every first character of a command, I get a dump of code, when continuing the command, I get the correct result. nodejs seems to work ut in some other camplicated way than before ????
CC: (none) => herman.viaene
The package will need to be resubmitted to the build system as it is not in updates testing for m9.
Keywords: (none) => feedbackVersion: Cauldron => 9CC: (none) => davidwhodgins
(In reply to Herman Viaene from comment #6) > > $ node --print-code > <dumps code stream to the terminal> > and from here I deviate from bug 32047 in a way the after every first > character of a command, I get a dump of code, when continuing the command, I > get the correct result. > nodejs seems to work ut in some other camplicated way than before ???? If you run node instead of node --print-code , all the verification procedure works fine. Only thing is you should type .load main.js instead of .load main.js; I don't know why the semicolon should now be removed. I am not familiar either with what --print-code is for. Actually, I have found nothing about it on the node man page and on the web? (In reply to Dave Hodgins from comment #7) > The package will need to be resubmitted to the build system as it > is not in updates testing for m9. Ok, I resubmit it.
Source RPM: nodejs-18.16.1-2.mga9.src.rpm => nodejs-18.16.1-2.mga9.src.rpm,yarnpkg-1.22.19-11.mga9.src.rpm
Hi I had to resubmit both MGA9 and Cauldron. MGA9 is ready for QA. I rebuilt yarnpkg to use the updated npm. Should I add it to the list of packages in the Advisory?
Keywords: feedback => (none)
Yes
Everything is now ready for QA validation. ADVISORY NOTICE PROPOSAL (UPDATE) ======================== Updated nodejs 18.17.1 packages fix security vulnerabilities Description This is a security release. As well, it fixes v8 headers detection (mga#28809) The following CVEs are fixed in this release: CVE-2023-32002: Policies can be bypassed via Module._load (High) CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium) CVE-2023-32559: Policies can be bypassed via process.binding (Medium) OpenSSL Security Releases OpenSSL security advisory 14th July. OpenSSL security advisory 19th July. OpenSSL security advisory 31st July More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post. References https://bugs.mageia.org/show_bug.cgi?id=32176 https://bugs.mageia.org/show_bug.cgi?id=28809 https://github.com/nodejs/node/releases/tag/v18.17.1 https://github.com/nodejs/node/releases/tag/v18.17.0 SRPMS for MGA8 8/core nodejs-18.17.1-1.mga8.src.rpm SRPMS for MGA9 9/core nodejs-18.17.1-1.mga9.src.rpm yarnpkg-1.22.19-13.mga9.src.rpm PROVIDED PACKAGES FOR MGA8: nodejs-docs-18.17.1-1.mga8 nodejs-libs-18.17.1-1.mga8 nodejs-devel-18.17.1-1.mga8 nodejs-18.17.1-1.mga8 v8-devel-10.2.154.26.mga8-3.mga8 npm-9.6.7-1.18.17.1.1.mga8 PROVIDED PACKAGES FOR MGA9: nodejs-docs-18.17.1-1.mga9 nodejs-libs-18.17.1-1.mga9 nodejs-devel-18.17.1-1.mga9 nodejs-18.17.1-1.mga9 v8-devel-10.2.154.26.mga9-3.mga9 npm-9.6.7-1.18.17.1.1.mga9 yarnpkg-1.22.19-13.mga9 PACKAGES FOR QA TESTING ======================= MGA8 x86_64: v8-devel-10.2.154.26.mga8-3.mga8.x86_64.rpm nodejs-devel-18.17.1-1.mga8.x86_64.rpm nodejs-18.17.1-1.mga8.x86_64.rpm npm-9.6.7-1.18.17.1.1.mga8.x86_64.rpm nodejs-docs-18.17.1-1.mga8.noarch.rpm nodejs-libs-18.17.1-1.mga8.x86_64.rpm MGA8 i586: v8-devel-10.2.154.26.mga8-3.mga8.i586.rpm nodejs-devel-18.17.1-1.mga8.i586.rpm nodejs-18.17.1-1.mga8.i586.rpm npm-9.6.7-1.18.17.1.1.mga8.i586.rpm nodejs-docs-18.17.1-1.mga8.noarch.rpm nodejs-libs-18.17.1-1.mga8.i586.rpm MGA9 x86_64: v8-devel-10.2.154.26.mga9-3.mga9.x86_64.rpm nodejs-devel-18.17.1-1.mga9.x86_64.rpm nodejs-18.17.1-1.mga9.x86_64.rpm npm-9.6.7-1.18.17.1.1.mga9.x86_64.rpm nodejs-docs-18.17.1-1.mga9.noarch.rpm nodejs-libs-18.17.1-1.mga9.x86_64.rpm yarnpkg-1.22.19-13.mga9.noarch.rpm MGA9 i586: v8-devel-10.2.154.26.mga9-3.mga9.i586.rpm nodejs-devel-18.17.1-1.mga9.i586.rpm nodejs-18.17.1-1.mga9.i586.rpm npm-9.6.7-1.18.17.1.1.mga9.i586.rpm nodejs-docs-18.17.1-1.mga9.noarch.rpm nodejs-libs-18.17.1-1.mga9.i586.rpm
Repeating tests as above Comments 6 and taking remarks of Comment 8 into account, now getting the same results as in bug 32047. So good to go.
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
Thanks Herman What is still required to push this security update?
Nothing from me, I OK'ed it.
Herman, did you test m9 as well or does that still need to be done?
No, my laptop can run only one version at the time.
m9 x86_64. Installed npm, nodejs and nodejs-libs. Used qarepo to make the x86_64 packages from comment 11 available and installed the updates. Updates installed cleanly. Repeated tests from comment 6 with same results. Validating the update.
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OKCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
Blocks: (none) => 32309
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0264.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Hi. For MGA9, you need also to push yarnpkg. Thanks
(In reply to christian barranco from comment #19) > Hi. For MGA9, you need also to push yarnpkg. > Thanks If this bug depends on that, i think it should be reopened. If not, create a separate bug.
CC: (none) => fri
Hi Morgan It had already been added to the source field. Isn’t it enough?
Comments 9 and 10 have mentioned it + advisory
Yes, you're right Christian. It just will need to be added to the SVN advisory.
- MID AIR COLISSION - Ah now i understand. yarnpkg-1.22.19-13.mga9.noarch.rpm is still in core/updates_testing/ - for both i586 and x86_64 But other packages got pushed. Advisory is correct. So some fail on script or manual handling. This bug is marked fixed, indicating nothing more to be done. Reopening to get yarnpkg-1.22.19-13.mga9.noarch.rpm moved - for both i586 and x86_64
Resolution: FIXED => (none)Status: RESOLVED => REOPENED
Thanks Morgan As the advisory might have not been clear enough for yarnpkg, here is an update: ADVISORY NOTICE PROPOSAL (UPDATE) ======================== yarnpkg package rebuilt with npm 9.6.7 Description yarpnkg package rebuilt with npm 9.6.7, after updating to nodejs 18.17.1 References https://bugs.mageia.org/show_bug.cgi?id=32176 SRPMS 9/core yarnpkg-1.22.19-13.mga9.src.rpm PROVIDED PACKAGES: yarnpkg-1.22.19-13.mga9 PACKAGES FOR QA TESTING ======================= MGA9 yarnpkg-1.22.19-13.mga9.noarch.rpm
(In reply to christian barranco from comment #25) > Thanks Morgan > > As the advisory might have not been clear enough for yarnpkg, here is an > update: > > ADVISORY NOTICE PROPOSAL (UPDATE) > ======================== > yarnpkg package rebuilt with npm 9.6.7 > > > Description > yarpnkg package rebuilt with npm 9.6.7, after updating to nodejs 18.17.1 > > > References > https://bugs.mageia.org/show_bug.cgi?id=32176 > > > SRPMS > 9/core > yarnpkg-1.22.19-13.mga9.src.rpm > > > > PROVIDED PACKAGES: > yarnpkg-1.22.19-13.mga9 > > > PACKAGES FOR QA TESTING > ======================= > MGA9 > yarnpkg-1.22.19-13.mga9.noarch.rpm Sorry, I find it too confusing to add this to the advisory, now that updated nodejs has already been released. I'll create a new bug report, upload a new advisory asap with only this in it and will tag it as validated_update
CC: (none) => marja11
Blocks: (none) => 32341
*** Bug 32341 has been marked as a duplicate of this bug. ***
Just add yarnpkg to the SRPMS list in the SVN advisory. The advisory text should not need to be changed.
(In reply to David Walser from comment #28) > Just add yarnpkg to the SRPMS list in the SVN advisory. The advisory text > should not need to be changed. Done, only wrote modejs in the commit message :-(
(In reply to David Walser from comment #28) > Just add yarnpkg to the SRPMS list in the SVN advisory. The advisory text > should not need to be changed. (In reply to Marja Van Waes from comment #29) > (In reply to David Walser from comment #28) > > Just add yarnpkg to the SRPMS list in the SVN advisory. The advisory text > > should not need to be changed. > > Done, only wrote modejs in the commit message :-( https://svnweb.mageia.org/advisories/32176.adv?r1=14987&r2=15011 So why doesn't it work? Neoclust has pushed updates twice since I added that line. However yarnpkg still isn't in updates http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/9/SRPMS/core/updates/
Nicolas, could you please move yarnpkg to updates?
CC: (none) => mageia
should be OK now.
I confirm yarnpkg-1.22.19-13.mga9.noarch.rpm is now on updates. What is the next step? Close as fixed?
Yep. Thanks Nicolas!
Thanks all!
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED