Bug 32861 - updated Nodejs 18.19.1 fixes CVE-2024-21892 CVE-2024-22019 CVE-2023-46809 CVE-2024-22025
Summary: updated Nodejs 18.19.1 fixes CVE-2024-21892 CVE-2024-22019 CVE-2023-46809 CVE...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-02-17 08:24 CET by christian barranco
Modified: 2024-02-22 23:21 CET (History)
4 users (show)

See Also:
Source RPM: nodejs-18.18.2-1.mga9.src.rpm,yarnpkg-1.22.19-14.mga9.src.rpm
CVE: CVE-2024-21892,CVE-2024-22019,CVE-2023-46809,CVE-2024-22025
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description christian barranco 2024-02-17 08:24:27 CET 
18.19.1 upstream release to fix CVEs

https://github.com/nodejs/node/releases/tag/v18.19.1
christian barranco 2024-02-17 08:24:52 CET

CVE: (none) => CVE-2024-21892,CVE-2024-22019,CVE-2023-46809,CVE-2024-22025

Comment 1 christian barranco 2024-02-17 16:35:30 CET 
ADVISORY NOTICE PROPOSAL
========================
Updated nodejs 18.19.1 packages fix security vulnerabilities


Description

This is a security release. The following CVEs are fixed in this release:
CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)

More detailed information on each of the vulnerabilities can be found in february 2024 Security Releases blog post.


also, the following is updated:
undici version 5.28.3
npm version 10.2.4

yarn package is then updated to 1.12.21 and built with npm 10.2.4

           
References
https://bugs.mageia.org/show_bug.cgi?id=32861
https://github.com/nodejs/node/releases/tag/v18.19.1
https://github.com/nodejs/node/releases/tag/v18.19.0
https://github.com/yarnpkg/yarn/releases/tag/v1.22.21
https://github.com/yarnpkg/yarn/releases/tag/v1.22.20
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22025

SRPMS for MGA9
9/core
nodejs-18.19.1-1.mga9.src.rpm
yarnpkg-1.22.21-0.10.2.4.1.mga9.src.rpm

    
PACKAGES FOR QA TESTING
=======================
x86_64:
v8-devel-10.2.154.26.mga9-5.mga9.x86_64.rpm
nodejs-devel-18.19.1-1.mga9.x86_64.rpm
nodejs-18.19.1-1.mga9.x86_64.rpm
npm-10.2.4-1.18.19.1.1.mga9.x86_64.rpm
nodejs-docs-18.19.1-1.mga9.noarch.rpm
nodejs-libs-18.19.1-1.mga9.x86_64.rpm
yarnpkg-1.22.21-0.10.2.4.1.mga9.noarch.rpm

i586:
v8-devel-10.2.154.26.mga9-5.mga9.i586.rpm
nodejs-devel-18.19.1-1.mga9.i586.rpm
nodejs-18.19.1-1.mga9.i586.rpm
npm-10.2.4-1.18.19.1.1.mga9.i586.rpm
nodejs-docs-18.19.1-1.mga9.noarch.rpm
nodejs-libs-18.19.1-1.mga9.i586.rpm
yarnpkg-1.22.21-0.10.2.4.1.mga9.noarch.rpm
katnatek 2024-02-17 17:27:50 CET

Keywords: (none) => advisory

Comment 2 christian barranco 2024-02-17 17:36:58 CET 
Ready for QA!

Assignee: chb0 => qa-bugs

christian barranco 2024-02-17 17:38:30 CET

CC: (none) => herman.viaene

Comment 3 katnatek 2024-02-17 20:34:40 CET 
Tested in real hardware mageia 9 x86_64

I have MLO repositories so I get in previous update the mlo version of this packages

installing nodejs-18.19.1-1.mga9.x86_64.rpm npm-10.2.4-1.18.19.1.1.mga9.x86_64.rpm nodejs-libs-18.19.1-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/3: nodejs-libs           ###################################################################################################
      2/3: npm                   ###################################################################################################
      3/3: nodejs                ###################################################################################################
      1/3: removing nodejs-1:18.19.1-0.squidf.mlo9.x86_64
                                 ###################################################################################################
      2/3: removing npm-1:10.2.4-1.18.19.1.0.squidf.mlo9.x86_64
                                ###################################################################################################
      3/3: removing nodejs-libs-1:18.19.1-0.squidf.mlo9.x86_64
                                 ###################################################################################################

I don't know if this count as valid test because we used to test the update from mageia packages to mageia packages
Comment 4 christian barranco 2024-02-17 20:44:30 CET 
Thanks katnatek for your test.

It is exactly the same packages between MLO and MGA. I put it first in MLO to test it and to build signal-desktop with it.

The installation should not be an issue. What is more important is to test the package itself.
One way to test it is to follow: https://bugs.mageia.org/show_bug.cgi?id=29872#c15

CC: (none) => tarazed25

Comment 5 katnatek 2024-02-17 21:54:06 CET 
npm ls -g
/usr/lib
├── corepack@0.22.0
└── npm@10.2.4

I test the server.js in https://nodejs.org/en/learn/getting-started/introduction-to-nodejs

node server.js 
Server running at http://127.0.0.1:3000/

Open the link in my browser, i seee

Hello World
Comment 6 christian barranco 2024-02-17 21:57:16 CET 
(In reply to katnatek from comment #5)
> npm ls -g
> /usr/lib
> ├── corepack@0.22.0
> └── npm@10.2.4
> 
> I test the server.js in
> https://nodejs.org/en/learn/getting-started/introduction-to-nodejs
> 
> node server.js 
> Server running at http://127.0.0.1:3000/
> 
> Open the link in my browser, i seee
> 
> Hello World

Success ;)
Comment 7 katnatek 2024-02-20 20:34:51 CET 
Search on other bugs
npm install express

added 64 packages, and audited 75 packages in 4s

12 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

npm install print-code

added 10 packages in 4s
npm notice 
npm notice New minor version of npm available! 10.2.4 -> 10.4.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v10.4.0
npm notice Run npm install -g npm@10.4.0 to update!
npm notice 

I try reproduce https://bugs.mageia.org/show_bug.cgi?id=32047#c17

node --print-code

but i get
0x7f4269bab054  full embedded object  (0x38c3999d8839 <String[10]: #objectMode>)
0x7f4269bab062  runtime entry
0x7f4269bab06f  runtime entry
0x7f4269bab0ac  full embedded object  (0x222f547455f9 <String[6]: #length>)
0x7f4269bab0ba  runtime entry
0x7f4269bab0c8  runtime entry
0x7f4269bab0d2  full embedded object  (0x222f547455f9 <String[6]: #length>)
0x7f4269bab0e0  runtime entry
0x7f4269bab0e9  runtime entry
0x7f4269bab10a  full embedded object  (0x222f54744861 <String[6]: #buffer>)
0x7f4269bab118  runtime entry
0x7f4269bab126  full embedded object  (0x06e5f3e028c9 <String[7]: #unshift>)
0x7f4269bab134  runtime entry
0x7f4269bab14c  runtime entry
0x7f4269bab168  full embedded object  (0x222f54744861 <String[6]: #buffer>)
0x7f4269bab176  runtime entry
0x7f4269bab184  full embedded object  (0x06e5f3e02899 <String[4]: #push>)
0x7f4269bab192  runtime entry
0x7f4269bab1aa  runtime entry
0x7f4269bab1b4  full embedded object  (0x161d1103e311 <String[5]: #state>)
0x7f4269bab1c2  runtime entry
0x7f4269bab1e8  full embedded object  (0x38c3999d8681 <String[13]: #kNeedReadable>)
0x7f4269bab1ff  runtime entry
0x7f4269bab20e  runtime entry
0x7f4269bab222  runtime entry
0x7f4269bab264  runtime entry
0x7f4269bab28e  runtime entry
0x7f4269bab2a6  runtime entry

Each type but once I press enter the result of operation is correct, what you think christian barranco?
katnatek 2024-02-22 01:55:13 CET

CC: (none) => andrewsfarm

Comment 8 katnatek 2024-02-22 01:57:29 CET 
OK I repeat but this time just run

node 

instead of

node --print-code

And not get all the extra output in terminal, so I guess is a sort of debug mod?
Comment 9 Len Lawrence 2024-02-22 10:00:26 CET 
(In reply to katnatek in comment 8)
Yes, the extra output is the underlying code-stream, probably useful to developers and bug-spotters.
Comment 10 christian barranco 2024-02-22 21:42:27 CET 
Hi. Sorry, I have been busy to try to find a way to get a direction for Chromium.

I confirm Len's analysis.

On my side, I have been using this nodejs version without any issue to build signal-desktop.

As it is a security update, I advise to give the ok rather quickly now.
Comment 11 katnatek 2024-02-22 21:51:38 CET 
I let to Thomas the validation

Whiteboard: (none) => MGA9-64-OK

Comment 12 Thomas Andrews 2024-02-22 22:42:30 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2024-02-22 23:21:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0046.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.