Mageia 2023-0226: nodejs security update
Summary
Current nodejs 14 branch in Mageia 8 is end of life and there are no more
security updates.
This release allows to move to the new nodejs 18 LTS branch and fixes the
following CVEs
CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism
(High)
CVE-2023-30585: Privilege escalation via Malicious Registry Key
manipulation during Node.js installer repair process (Medium)
CVE-2023-30588: Process interuption due to invalid Public Key information
in x509 certificates (Medium)
CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR
(Medium)
CVE-2023-30590: DiffieHellman does not generate keys after setting a
private key (Medium)
OpenSSL Security Releases
OpenSSL security advisory 28th March.
OpenSSL security advisory 20th April.
OpenSSL security advisory 30th May
c-ares vulnerabilities:
GHSA-9g78-jv2r-p7vc
GHSA-8r8p-23f3-64c2
GHSA-54xr-f67r-4pc4
GHSA-x6mf-cxr9-8q6v
References
- https://bugs.mageia.org/show_bug.cgi?id=32047
- https://github.com/nodejs/node/releases/tag/v18.16.1
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30582
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30583
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30584
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30586
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30587
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590
Resolution
MGASA-2023-0226 - Updated nodejs packages fix security vulnerability
SRPMS
- 8/core/nodejs-18.16.1-1.mga8
