Assigning to you, Christian, as you look to be the updater of nodejs.

Assignee: bugsquad => chb0

(In reply to Lewis Smith from comment #1)
> Assigning to you, Christian, as you look to be the updater of nodejs.

Sorry Christian recently stops his contribution

Assignee: chb0 => pkg-bugs

Hi. I can support once more as it is a security update. 

I recommend to switch to nodejs22, as it becoming the new LTS branch and as there is no visibility on MGA10 schedule. 
I just updated Cauldron with nodejs22

CC: (none) => chb0
Assignee: pkg-bugs => chb0

Nice to see you Christian :)

CC: (none) => fri

ADVISORY NOTICE PROPOSAL
========================
Nodejs 22.6.0 packages bring the new active LTS branch and fix vulnerabilities


Description
Nodejs 22 is the new active LTS branch and 5 CVE are fixed.

    CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
    CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
    CVE-2024-22018 - fs.lstat bypasses permission model (Low)
    CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
    CVE-2024-37372 - Permission model improperly processes UNC paths (Low)


yarn package is updated with npm 10.8.2

           
References
https://bugs.mageia.org/show_bug.cgi?id=33415
https://github.com/nodejs/node/releases/tag/v22.6.0
https://github.com/nodejs/node/releases/tag/v22.5.1
https://github.com/nodejs/node/releases/tag/v22.5.0
https://github.com/nodejs/node/releases/tag/v22.4.1
https://github.com/nodejs/node/releases/tag/v22.4.0
https://github.com/nodejs/node/releases/tag/v22.3.0
https://github.com/nodejs/node/releases/tag/v22.2.0
https://github.com/nodejs/node/releases/tag/v22.1.0
https://github.com/nodejs/node/releases/tag/v22.0.0
https://github.com/yarnpkg/yarn/releases/tag/v1.22.22
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36138
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37372



SRPMS
9/core
nodejs-22.6.0-1.mga9.src.rpm
yarnpkg-1.22.22-0.10.8.2.1.mga9.src.rpm

    
PACKAGES FOR QA TESTING
=======================
For x86_64:
v8-devel-12.4.254.21.mga10-1.mga9.x86_64.rpm
nodejs-devel-22.6.0-1.mga9.x86_64.rpm
npm-10.8.2-1.22.6.0.1.mga9.x86_64.rpm
nodejs-22.6.0-1.mga9.x86_64.rpm
nodejs-docs-22.6.0-1.mga9.noarch.rpm
nodejs-libs-22.6.0-1.mga9.x86_64.rpm
yarnpkg-1.22.22-0.10.8.2.1.mga9.x86_64.rpm

CVE: CVE-2024-22020, CVE-2024-36137, CVE-2024-22018 => CVE-2024-22020, CVE-2024-36137, CVE-2024-36138, CVE-2024-22018, CVE-2024-37372
Summary: nodejs new security issues CVE-2024-22020, CVE-2024-36137, CVE-2024-22018 => nodejs 22 new security issues CVE-2024-22020, CVE-2024-361[37-38], CVE-2024-22018, CVE-2024-37372
Status comment: Fixed upstream in 20.15.1 => (none)
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Ready for QA!

Assignee: chb0 => qa-bugs

Typo in the packages list, here is the list with correction

SRPMS
9/core
nodejs-22.6.0-1.mga9.src.rpm
yarnpkg-1.22.22-0.10.8.2.1.mga9.src.rpm

    
PACKAGES FOR QA TESTING
=======================
For x86_64:
v8-devel-12.4.254.21.mga9-1.mga9.x86_64.rpm
nodejs-devel-22.6.0-1.mga9.x86_64.rpm
npm-10.8.2-1.22.6.0.1.mga9.x86_64.rpm
nodejs-22.6.0-1.mga9.x86_64.rpm
nodejs-docs-22.6.0-1.mga9.noarch.rpm
nodejs-libs-22.6.0-1.mga9.x86_64.rpm
yarnpkg-1.22.22-0.10.8.2.1.mga9.x86_64.rpm

RH x86_64

 LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing yarnpkg-1.22.22-0.10.8.2.1.mga9.x86_64.rpm npm-10.8.2-1.22.6.0.1.mga9.x86_64.rpm nodejs-22.6.0-1.mga9.x86_64.rpm nodejs-devel-22.6.0-1.mga9.x86_64.rpm nodejs-docs-22.6.0-1.mga9.noarch.rpm v8-devel-12.4.254.21.mga9-1.mga9.x86_64.rpm nodejs-libs-22.6.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/7: nodejs-libs           ##################################################################################################
      2/7: nodejs                ##################################################################################################
      3/7: npm                   ##################################################################################################
      4/7: nodejs-devel          ##################################################################################################
      5/7: v8-devel              ##################################################################################################
      6/7: yarnpkg               ##################################################################################################
      7/7: nodejs-docs           ##################################################################################################
      1/7: removing npm-1:10.5.0-1.20.12.1.1.mga9.x86_64
                                 ##################################################################################################
      2/7: removing v8-devel-2:11.3.244.8.mga9-3.mga9.x86_64
                                 ##################################################################################################
      3/7: removing nodejs-devel-1:20.12.1-1.mga9.x86_64
                                 ##################################################################################################
      4/7: removing nodejs-docs-1:20.12.1-1.mga9.noarch
                                 ##################################################################################################
      5/7: removing yarnpkg-1.22.22-0.10.5.0.1.squidf.mlo9.noarch
                                 ##################################################################################################
      6/7: removing nodejs-1:20.12.1-1.mga9.x86_64
                                 ##################################################################################################
      7/7: removing nodejs-libs-1:20.12.1-1.mga9.x86_64
                                 ##################################################################################################

npm install express5

up to date, audited 51 packages in 1s

3 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

 npm ls
advisories@ /home/katnatek/mageia-advisories/advisories
└── express5@1.0.0

 node server.js 
Server running at http://127.0.0.1:3000/
http://127.0.0.1:3000/

Shows: Hello World

node
Welcome to Node.js v22.6.0.
Type ".help" for more information.
> 1+1
2
> a=2
2
> b=4
4
> a*b
8
> a+b
6
> 

Looks good

# urpmi v8-devel
The following packages can't be installed because they depend on packages
that are older than the installed ones:
rpm-mageia-setup-build-2.71-1.mga9
rpm-build-4.18.2-1.mga9
nodejs-packaging-23-4.mga9
nodejs-devel-22.6.0-1.mga9
v8-devel-12.4.254.21.mga9-1.mga9

CC: (none) => herman.viaene

(In reply to Herman Viaene from comment #9)
> # urpmi v8-devel
> The following packages can't be installed because they depend on packages
> that are older than the installed ones:
> rpm-mageia-setup-build-2.71-1.mga9
> rpm-build-4.18.2-1.mga9
> nodejs-packaging-23-4.mga9
> nodejs-devel-22.6.0-1.mga9
> v8-devel-12.4.254.21.mga9-1.mga9

Wierd because katnatek didn't have any issue. 
What does urpmi --auto --auto-update --test give you?

(In reply to Herman Viaene from comment #9)
> # urpmi v8-devel
> The following packages can't be installed because they depend on packages
> that are older than the installed ones:
> rpm-mageia-setup-build-2.71-1.mga9
> rpm-build-4.18.2-1.mga9
> nodejs-packaging-23-4.mga9
> nodejs-devel-22.6.0-1.mga9
> v8-devel-12.4.254.21.mga9-1.mga9

Check your system, these versions are the current ones

rpm -q rpm-build
rpm-build-4.18.2-1.mga9

rpm -q rpm-mageia-setup-build
rpm-mageia-setup-build-2.71-1.1.mga9

LC_ALL=C urpmi nodejs-packaging
Package nodejs-packaging-23-4.mga9.noarch is already installed

I just see your version of rpm-mageia-setup-build is outdated

rpm-build e.a. not installed on this laptop (why should they??)
# LC_ALL=C urpmi nodejs-packaging
The following packages can't be installed because they depend on packages
that are older than the installed ones:
rpm-mageia-setup-build-2.71-1.mga9
fonts-srpm-macros-2.0.5-6.mga9
nodejs-packaging-23-4.mga9
Continue installation anyway? (Y/n) n

# urpmi --auto --auto-update --test
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
    $MIRRORLIST: media/nonfree/updates/media_info/20240331-032734-synthesis.hdlist.cz
updated medium "Nonfree Updates (distrib13)"                                                                 
medium "Tainted Release (distrib21)" is up-to-date
    $MIRRORLIST: media/tainted/updates/media_info/20240322-001604-synthesis.hdlist.cz
updated medium "Tainted Updates (distrib23)"                                                                 


    $MIRRORLIST: media/core/release/lib64schroedinger1.0_0-1.0.11-12.mga9.x86_64.rpm
    $MIRRORLIST: media/core/updates/gstreamer1.0-lame-1.22.8-1.mga9.x86_64.rpm                               
    $MIRRORLIST: media/tainted/release/libquicktime-faad-1.2.4-32.mga9.tainted.x86_64.rpm            
etc....
anf then a whole list of tainted packages all to do with sound - and video - media.

(In reply to Herman Viaene from comment #13)
> # urpmi --auto --auto-update --test
> medium "QA Testing (64-bit)" is up-to-date
> medium "Core Release (distrib1)" is up-to-date
> medium "Core Updates (distrib3)" is up-to-date
> medium "Nonfree Release (distrib11)" is up-to-date
>     $MIRRORLIST:
> media/nonfree/updates/media_info/20240331-032734-synthesis.hdlist.cz
> updated medium "Nonfree Updates (distrib13)"                                
> 
> medium "Tainted Release (distrib21)" is up-to-date
>     $MIRRORLIST:
> media/tainted/updates/media_info/20240322-001604-synthesis.hdlist.cz
> updated medium "Tainted Updates (distrib23)"                                
> 
> 
> 
>     $MIRRORLIST:
> media/core/release/lib64schroedinger1.0_0-1.0.11-12.mga9.x86_64.rpm
>     $MIRRORLIST:
> media/core/updates/gstreamer1.0-lame-1.22.8-1.mga9.x86_64.rpm               
> 
>     $MIRRORLIST:
> media/tainted/release/libquicktime-faad-1.2.4-32.mga9.tainted.x86_64.rpm    
> 
> etc....
> anf then a whole list of tainted packages all to do with sound - and video -
> media.

As QA member you should know that we can't trust in mirror list to make our contributions, even Morgan open a bug to change drakrpm-editmedia to not use by default the mirror list (bug#28810)

If you compare the metadata fetched by

LC_ALL=C urpmi.update -a -ff
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/media_info/20230819-212352-synthesis.hdlist.cz
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/media_info/20230819-212352-info.xml.lzma       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/media_info/20230819-212352-files.xml.lzma      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/media_info/20230819-212352-changelog.xml.lzma  
updated medium "Core Release (distrib1)"
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240824-172050-synthesis.hdlist.cz 
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240824-172050-info.xml.lzma       
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240824-172050-files.xml.lzma      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/media_info/20240824-172050-changelog.xml.lzma  
updated medium "Core Updates (distrib3)"                                                                                            
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/nonfree/release/media_info/20230819-190450-synthesis.hdlist.cz
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/nonfree/release/media_info/20230819-190450-info.xml.lzma    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/nonfree/release/media_info/20230819-190450-files.xml.lzma   
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/nonfree/release/media_info/20230819-190450-changelog.xml.lzma
updated medium "Nonfree Release (distrib11)"
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/nonfree/updates/media_info/20240731-192934-synthesis.hdlist.cz
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/nonfree/updates/media_info/20240731-192934-info.xml.lzma    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/nonfree/updates/media_info/20240731-192934-files.xml.lzma   
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/nonfree/updates/media_info/20240731-192934-changelog.xml.lzma
updated medium "Nonfree Updates (distrib13)"                                                                                        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/tainted/release/media_info/20230819-175246-synthesis.hdlist.cz
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/tainted/release/media_info/20230819-175246-info.xml.lzma    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/tainted/release/media_info/20230819-175246-files.xml.lzma   
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/tainted/release/media_info/20230819-175246-changelog.xml.lzma
updated medium "Tainted Release (distrib21)"
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/tainted/updates/media_info/20240731-193009-synthesis.hdlist.cz
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/tainted/updates/media_info/20240731-193009-info.xml.lzma    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/tainted/updates/media_info/20240731-193009-files.xml.lzma   
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/tainted/updates/media_info/20240731-193009-changelog.xml.lzma
updated medium "Tainted Updates (distrib23)"                                                                                        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/release/media_info/20230819-212638-synthesis.hdlist.cz
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/release/media_info/20230819-212638-info.xml.lzma         
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/release/media_info/20230819-212638-files.xml.lzma        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/release/media_info/20230819-212638-changelog.xml.lzma    
updated medium "Core 32bit Release (distrib31)"
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240824-171636-synthesis.hdlist.cz   
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240824-171636-info.xml.lzma         
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240824-171636-files.xml.lzma        
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/core/updates/media_info/20240824-171636-changelog.xml.lzma    
updated medium "Core 32bit Updates (distrib32)"                                                                                     
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/nonfree/release/media_info/20230819-190453-synthesis.hdlist.cz
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/nonfree/release/media_info/20230819-190453-info.xml.lzma      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/nonfree/release/media_info/20230819-190453-files.xml.lzma     
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/nonfree/release/media_info/20230819-190453-changelog.xml.lzma 
updated medium "Nonfree 32bit Release (distrib36)"
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/tainted/release/media_info/20230819-175241-synthesis.hdlist.cz
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/tainted/release/media_info/20230819-175241-info.xml.lzma      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/tainted/release/media_info/20230819-175241-files.xml.lzma     
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/tainted/release/media_info/20230819-175241-changelog.xml.lzma 
updated medium "Tainted 32bit Release (distrib41)"
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/tainted/updates/media_info/20240731-192955-synthesis.hdlist.cz
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/tainted/updates/media_info/20240731-192955-info.xml.lzma      
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/tainted/updates/media_info/20240731-192955-files.xml.lzma     
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/i586/media/tainted/updates/media_info/20240731-192955-changelog.xml.lzma 
updated medium "Tainted 32bit Updates (distrib42)"     

So please set specific mirror  https://wiki.mageia.org/en/Software_management#Choosing_a_specific_media_source

Thomas as Herman's issue is clearly due a bad shape mirror provided by mirrolist I give the OK, but you have the last word

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

(In reply to Herman Viaene from comment #12)
> rpm-build e.a. not installed on this laptop (why should they??)
> # LC_ALL=C urpmi nodejs-packaging
> The following packages can't be installed because they depend on packages
> that are older than the installed ones:
> rpm-mageia-setup-build-2.71-1.mga9
> fonts-srpm-macros-2.0.5-6.mga9
> nodejs-packaging-23-4.mga9
> Continue installation anyway? (Y/n) n

nodejs-packaging has been required with the previous package versions already, and it makes sense it triggers other rpm setups as well (even if I have not followed the complete chain). It is most probably a mirror sync issue to pass the install. Maybe someone else could confirm?

"As QA member you should know that we can't trust in mirror list to make our contributions, even Morgan open a bug to change drakrpm-editmedia to not use by default the mirror list (bug#28810)"

Herman knows it all too well. He uses mirrorlist on purpose, because that is the default that is presented to our users. I used to do that, too, because I felt it was important to keep my QA machine configurations as close to what we would expect our users to have as possible. I still feel that way, but the problems with using mirrorlist were just too annoying, and I went with specific mirrors.

Using the math.princeton mirror, qarepo found the proper packages, and they updated for me without issues. Since there is nothing we can do about the mirrorlist issue here, I'm validating the update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

(In reply to Thomas Andrews from comment #17)
> Herman knows it all too well. He uses mirrorlist on purpose, because that is
> the default that is presented to our users. I used to do that, too, because
> I felt it was important to keep my QA machine configurations as close to
> what we would expect our users to have as possible. I still feel that way,
> but the problems with using mirrorlist were just too annoying, and I went
> with specific mirrors.
> 
> Using the math.princeton mirror, qarepo found the proper packages, and they
> updated for me without issues. Since there is nothing we can do about the
> mirrorlist issue here, I'm validating the update.

I'm quite new in the team, and it is hard to me know when these kinds of things are on purpose, I respect to all the members of the team and I apologize if sometimes my comments bother to someone.

(In reply to katnatek from comment #18)
> (In reply to Thomas Andrews from comment #17)
> > Herman knows it all too well. He uses mirrorlist on purpose, because that is
> > the default that is presented to our users. I used to do that, too, because
> > I felt it was important to keep my QA machine configurations as close to
> > what we would expect our users to have as possible. I still feel that way,
> > but the problems with using mirrorlist were just too annoying, and I went
> > with specific mirrors.

Same here.
For testing that updates works to install I usually prefer using drakrpm with testing repos enabled (and then i select only what i want to test) to make sure it resolves what to update/install no more no less.

The never fixed mirrorlist and defunct repos problem is a shame on us Mageia as a whole :(

Like TJ I make sure never to use mirrorlist, as all QA already knows it is broken until fixed, no need to test it further...


> I'm quite new in the team, and it is hard to me know when these kinds of
> things are on purpose, I respect to all the members of the team and I
> apologize if sometimes my comments bother to someone.

I think you are doing very well :)

TJ is right on the spot as far as my using mirrorlist. It is there, so it should be usable. And I cann't see why it should fail - and repeatedly so - on this particular instance. And up to now only this instance.
And the bug raised by Morgan has nothing to do with the mirrorlist mechanism not working, it's about the dialogue to set a repo.
I can accept to hit some mirror that isn't fully synched at a certain point, but that is a situation that in 99.9% of the cases only lasts 24h.
And all in all, the mirrorlist is there. If it does not work, remove it, but think three times, and then some more, before doing so.
@katnatek: you're great, keep going plse.

And beside that: my first question on Comment 12 isn't answered: why would the rpm-build tools be required for nodejs???

(In reply to Herman Viaene from comment #21)
> And beside that: my first question on Comment 12 isn't answered: why would
> the rpm-build tools be required for nodejs???

That's an easy one. The rpm-build tools are required by the devel packages, nodejs-devel and v8-devel for example. Non-development users don't need to install them, as a general rule, and QA isn't expected to test them. But, there have been times when QA has found packaging errors when installing them. If memory serves, there was such an incident with nodejs a few years ago, when the packager failed to update the v8-devel package with the rest. 

As for the mirrorlist situation, you are right that syncing usually resolves within 24 hours. But, it has come to our attention that the ibiblio mirror is weeks (months?) out of sync again. If mirrorlist connects you with that one, or one of the mirrors that use it as a source, well...

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0282.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED