Updated nodejs packages fix security vulnerability
Publication date: 07 Jul 2023Modification date: 07 Jul 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-30581 , CVE-2023-30582 , CVE-2023-30583 , CVE-2023-30584 , CVE-2023-30585 , CVE-2023-30586 , CVE-2023-30587 , CVE-2023-30588 , CVE-2023-30589 , CVE-2023-30590
Description
Current nodejs 14 branch in Mageia 8 is end of life and there are no more security updates. This release allows to move to the new nodejs 18 LTS branch and fixes the following CVEs CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High) CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium) CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium) CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium) OpenSSL Security Releases OpenSSL security advisory 28th March. OpenSSL security advisory 20th April. OpenSSL security advisory 30th May c-ares vulnerabilities: GHSA-9g78-jv2r-p7vc GHSA-8r8p-23f3-64c2 GHSA-54xr-f67r-4pc4 GHSA-x6mf-cxr9-8q6v
References
- https://bugs.mageia.org/show_bug.cgi?id=32047
- https://github.com/nodejs/node/releases/tag/v18.16.1
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30582
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30583
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30584
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30586
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30587
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590
SRPMS
8/core
- nodejs-18.16.1-1.mga8