Updated nodejs yarnpkg packages fix security vulnerabilities
Publication date: 22 Feb 2024Modification date: 22 Feb 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-21892 , CVE-2024-22019 , CVE-2023-46809 , CVE-2024-22025
Description
This is a security release. The following CVEs are fixed in this
release:
CVE-2024-21892 - Code injection and privilege escalation through Linux
capabilities- (High)
CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded
chunk extension allows DoS attacks- (High)
CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing
variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) -
(Medium)
CVE-2024-22025 - Denial of Service by resource exhaustion in fetch()
brotli decoding - (Medium)
More detailed information on each of the vulnerabilities can be found in
february 2024 Security Releases blog post.
References
- https://bugs.mageia.org/show_bug.cgi?id=32861
- https://github.com/nodejs/node/releases/tag/v18.19.1
- https://github.com/nodejs/node/releases/tag/v18.19.0
- https://github.com/yarnpkg/yarn/releases/tag/v1.22.21
- https://github.com/yarnpkg/yarn/releases/tag/v1.22.20
- https://nodejs.org/en/blog/vulnerability/february-2024-security-releases
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21892
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22019
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46809
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22025
SRPMS
9/core
- nodejs-18.19.1-1.mga9
- yarnpkg-1.22.21-0.10.2.4.1.mga9