Updated nodejs packages fix security vulnerability
Publication date: 24 Sep 2023Modification date: 28 Sep 2023
Type: security
Affected Mageia releases : 8 , 9
CVE: CVE-2023-32002 , CVE-2023-32006 , CVE-2023-32559
Description
This is a security release. As well, it fixes v8 headers detection
(mga#28809)
The following CVEs are fixed in this release:
CVE-2023-32002: Policies can be bypassed via Module._load (High)
CVE-2023-32006: Policies can be bypassed by
module.constructor.createRequire (Medium)
CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
OpenSSL Security Releases
OpenSSL security advisory 14th July.
OpenSSL security advisory 19th July.
OpenSSL security advisory 31st July
More detailed information on each of the vulnerabilities can be found in
August 2023 Security Releases blog post.
References
- https://bugs.mageia.org/show_bug.cgi?id=32176
- https://bugs.mageia.org/show_bug.cgi?id=28809
- https://github.com/nodejs/node/releases/tag/v18.17.1
- https://github.com/nodejs/node/releases/tag/v18.17.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32002
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32006
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32559
SRPMS
9/core
- nodejs-18.17.1-1.mga9
- yarnpkg-1.22.19-13.mga9
8/core
- nodejs-18.17.1-1.mga8