Advisories ยป MGASA-2023-0226

Updated nodejs packages fix security vulnerability

Publication date: 07 Jul 2023
Modification date: 07 Jul 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-30581 , CVE-2023-30582 , CVE-2023-30583 , CVE-2023-30584 , CVE-2023-30585 , CVE-2023-30586 , CVE-2023-30587 , CVE-2023-30588 , CVE-2023-30589 , CVE-2023-30590

Description

Current nodejs 14 branch in Mageia 8 is end of life and there are no more
security updates.

This release allows to move to the new nodejs 18 LTS branch and fixes the
following CVEs
CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism
(High)
CVE-2023-30585: Privilege escalation via Malicious Registry Key
manipulation during Node.js installer repair process (Medium)
CVE-2023-30588: Process interuption due to invalid Public Key information
in x509 certificates (Medium)
CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR
(Medium)
CVE-2023-30590: DiffieHellman does not generate keys after setting a
private key (Medium)
OpenSSL Security Releases
 OpenSSL security advisory 28th March.
 OpenSSL security advisory 20th April.
 OpenSSL security advisory 30th May
c-ares vulnerabilities:
 GHSA-9g78-jv2r-p7vc
 GHSA-8r8p-23f3-64c2
 GHSA-54xr-f67r-4pc4
 GHSA-x6mf-cxr9-8q6v

References

SRPMS

8/core