https://github.com/nodejs/node/releases/tag/v18.18.2
Source RPM: nodejs-18.17.1-1.mga9.src.rpm => nodejs-18.17.1-1.mga9.src.rpm,yarnpkg-1.22.19-13.mga9.src.rpm
Ready for QA! ADVISORY NOTICE PROPOSAL ======================== Updated nodejs 18.18.2 packages fix security vulnerabilities Description This is a security release. The following CVEs are fixed in this release: CVE-2023-44487: nghttp2 Security Release (High) CVE-2023-45143: undici Security Release (High) CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium) CVE-2023-39333: Code injection via WebAssembly export names (Low) More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post. References https://bugs.mageia.org/show_bug.cgi?id=32403 https://github.com/nodejs/node/releases/tag/v18.18.2 https://github.com/nodejs/node/releases/tag/v18.18.1 https://nodejs.org/en/blog/vulnerability/october-2023-security-releases SRPMS for MGA9 9/core nodejs-18.18.2-1.mga9.src.rpm yarnpkg-1.22.19-14.mga9.src.rpm PROVIDED PACKAGES: nodejs-docs-18.18.2-1.mga9 nodejs-libs-18.18.2-1.mga9 nodejs-devel-18.18.2-1.mga9 nodejs-18.18.2-1.mga9 v8-devel-10.2.154.26.mga9-4.mga9 npm-9.8.1-1.18.18.2.1.mga9 yarnpkg-1.22.19-14.mga9 PACKAGES FOR QA TESTING ======================= x86_64: v8-devel-10.2.154.26.mga9-4.mga9.x86_64.rpm nodejs-devel-18.18.2-1.mga9.x86_64.rpm nodejs-18.18.2-1.mga9.x86_64.rpm npm-9.8.1-1.18.18.2.1.mga9.x86_64.rpm nodejs-docs-18.18.2-1.mga9.noarch.rpm nodejs-libs-18.18.2-1.mga9.x86_64.rpm yarnpkg-1.22.19-14.mga9.noarch.rpm i586: v8-devel-10.2.154.26.mga9-4.mga9.i586.rpm nodejs-devel-18.18.2-1.mga9.i586.rpm nodejs-18.18.2-1.mga9.i586.rpm npm-9.8.1-1.18.18.2.1.mga9.i586.rpm nodejs-docs-18.18.2-1.mga9.noarch.rpm nodejs-libs-18.18.2-1.mga9.i586.rpm
Assignee: chb0 => qa-bugs
CC: (none) => herman.viaene
Mageia9, x86_64 $ npm ls -g /usr/lib ├── corepack@0.18.0 ├── npm@9.6.7 └── yarn@1.22.19 $ npm ls nodejs@ /run/media/lcl/Toshiba/qa/nodejs ├── express@4.18.2 └── print-code@1.0.2 $ npm install abbrev added 1 package, and audited 70 packages in 723ms 8 packages are looking for funding run `npm fund` for details found 0 vulnerabilities npm notice npm notice New major version of npm available! 9.6.7 -> 10.2.0 npm notice Changelog: https://github.com/npm/cli/releases/tag/v10.2.0 npm notice Run npm install -g npm@10.2.0 to update! npm notice $ npm ls nodejs@ /run/media/lcl/Toshiba/qa/nodejs ├── abbrev@2.0.0 ├── express@4.18.2 └── print-code@1.0.2 $ npm search express NAME | DESCRIPTION | AUTHOR | DATE express | Fast,… | =mikeal… | 2022-10-08 express-validator | Express middleware… | =ctavan… | 2023-04-16 path-to-regexp | Express style path… | =blakeembrey… | 2022-05-06 express-handlebars | A Handlebars view… | =ericf =sahat… | 2023-08-08 express-http-proxy | http proxy… | =villadora… | 2023-09-04 ........ $ cat main.js var http = require("http"); http.createServer(function (request, response) { // Send the HTTP header // HTTP Status: 200 : OK // Content Type: text/plain response.writeHead(200, {'Content-Type': 'text/plain'}); // Send the response body as "Hello World" response.end('Hello World\n'); }).listen(8081); // Console will print the message console.log('Server running at http://127.0.0.1:8081/'); // $ node main.js // Check http://localhost:8081/ $ node main.js Server running at http://127.0.0.1:8081/ Pointing a web browser at http://localhost:8081 shows the "Hello World" message on a new page. Tred adding a function: $ cat mydate.js exports.myDateTime = function () { return Date(); }; $ cat newbie.js const http = require('http'); var dt = require('./mydate'); const hostname = '127.0.0.1'; const port = 3000; const server = http.createServer((req, res) => { res.statusCode = 200; res.setHeader('Content-Type', 'text/plain'); res.end('Hello World\n'); }); server.listen(port, hostname, () => { console.log(`Server running at http://${hostname}:${port}/`); }); http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/html'}); res.write("The date and time are currently: " + dt.myDateTime()); res.end(); }).listen(8080); $ node newbie.js Server running at http://127.0.0.1:3000/ This shows the helloworld page at localhost:3000 and the current date and time on another web page at localhost:8080. This is pretty basic but I do not intend taking it any further. Trying an interactive session: $ node Welcome to Node.js v18.18.2. Type ".help" for more information. > .load newbie.js const http = require('http'); [...] > Server running at http://127.0.0.1:3000/ <Checked time at localhost:8080> .exit $ node > a = 77.1 77.1 > a**2 5944.409999999999 > .exit $ urpmq --whatrequires nodejs | sort -u | grep -v nodejs csslint jupyter-jupyterlab mediawiki mediawiki-math mkchromecast notepadqq npm python3-jupyterlab ruby-execjs ruby-less uglify-js uglify-js1 ycssmin Nothing there that is familiar territory. Letting this go since basic tests work.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
Advisory from comment 1 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisoryCC: (none) => marja11
I would say there is not a lot required to test this security update within the same branch. If nobody wants to test it quickly from now, I recommend to validate and push it.
Thank you for the input, Christian. Too often QA testers aren't familiar with the package being tested, and can use the advice on how to proceed. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0299.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED