Bug 33947 - nodejs new security issues CVE-2025-2308[35]
Summary: nodejs new security issues CVE-2025-2308[35]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-01-22 09:33 CET by Nicolas Salguero
Modified: 2025-02-07 20:46 CET (History)
2 users (show)

See Also:
Source RPM: nodejs-22.6.0-1.mga9.src.rpm
CVE: CVE-2025-23083, CVE-2025-23085
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-01-22 09:34:24 CET

CVE: (none) => CVE-2025-23083, CVE-2025-23085
Status comment: (none) => Fixed upstream in 22.13.1
Source RPM: (none) => nodejs-22.6.0-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2025-01-26 19:42:19 CET 
https://nodejs.org/en/blog/vulnerability/january-2025-security-releases has these URLs:
Node.js v18.20.6
Node.js v20.18.2
Node.js v22.13.1
Node.js v23.6.1

Normally this would have gone to squidf, but I think he is no longer with us. So assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2025-02-05 09:37:04 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Worker permission bypass via InternalWorker leak in diagnostics. (CVE-2025-23083)

GOAWAY HTTP/2 frames cause memory leak outside heap. (CVE-2025-23085)

References:
https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
https://www.openwall.com/lists/oss-security/2025/01/21/5
========================

Updated packages in core/updates_testing:
========================
nodejs-22.13.1-2.mga9
nodejs-devel-22.13.1-2.mga9
nodejs-docs-22.13.1-2.mga9
nodejs-libs-22.13.1-2.mga9
npm-10.9.2-1.22.13.1.2.mga9
v8-devel-12.4.254.21.mga9-2.mga9

from SRPM:
nodejs-22.13.1-2.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 22.13.1 => (none)
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

katnatek 2025-02-05 18:23:12 CET

Keywords: (none) => advisory

Comment 3 katnatek 2025-02-05 18:30:40 CET 
Previous updates also include yarn why not this?
Comment 4 katnatek 2025-02-05 18:42:51 CET 
RH x86_64

installing nodejs-libs-22.13.1-2.mga9.x86_64.rpm v8-devel-12.4.254.21.mga9-2.mga9.x86_64.rpm nodejs-docs-22.13.1-2.mga9.noarch.rpm nodejs-devel-22.13.1-2.mga9.x86_64.rpm nodejs-22.13.1-2.mga9.x86_64.rpm npm-10.9.2-1.22.13.1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/6: nodejs-libs           ##################################################################################################
      2/6: npm                   ##################################################################################################
      3/6: nodejs                ##################################################################################################
      4/6: nodejs-devel          ##################################################################################################
      5/6: v8-devel              ##################################################################################################
      6/6: nodejs-docs           ##################################################################################################
      1/6: removing v8-devel-2:12.4.254.21.mga9-1.mga9.x86_64
                                 ##################################################################################################
      2/6: removing nodejs-devel-1:22.6.0-1.mga9.x86_64
                                 ##################################################################################################
      3/6: removing nodejs-docs-1:22.6.0-1.mga9.noarch
                                 ##################################################################################################
      4/6: removing nodejs-1:22.6.0-1.mga9.x86_64
                                 ##################################################################################################
      5/6: removing npm-1:10.8.2-1.22.6.0.1.mga9.x86_64
                                 ##################################################################################################
      6/6: removing nodejs-libs-1:22.6.0-1.mga9.x86_64
                                 ##################################################################################################

npm install express5
npm warn deprecated string-similarity@4.0.4: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

added 50 packages in 5s

4 packages are looking for funding
  run `npm fund` for details
npm notice
npm notice New major version of npm available! 10.9.2 -> 11.1.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.1.0
npm notice To update run: npm install -g npm@11.1.0
npm notice

npm ls
qatest@ /home/katnatek/qatest
└── express5@1.0.0

node server.js 
Server running at http://127.0.0.1:3000/

http://127.0.0.1:3000/

Shows: Hello World

node
Welcome to Node.js v22.13.1.
Type ".help" for more information.
> 1+1
2
> a=2
2
> b=4
4
> a*b
8
> a+b
6
> 

Looks good

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2025-02-07 16:17:55 CET 
Bug 33674 is a security bug on yarnpkg for Cauldron and MGA9 that has been open since October. If it still needs to be updated, that's probably the place to take care of it.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2025-02-07 20:46:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0041.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.