Updated nodejs & yarnpkg packages fix security vulnerabilities
Publication date: 28 Aug 2024Modification date: 28 Aug 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-22020 , CVE-2024-36137 , CVE-2024-36138 , CVE-2024-22018 , CVE-2024-37372
Description
Nodejs 22 is the new active LTS branch and 5 CVE are fixed.
CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
CVE-2024-22018 - fs.lstat bypasses permission model (Low)
CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
CVE-2024-37372 - Permission model improperly processes UNC paths (Low)
yarn package is updated with npm 10.8.2
References
- https://bugs.mageia.org/show_bug.cgi?id=33415
- https://github.com/nodejs/node/releases/tag/v22.6.0
- https://github.com/nodejs/node/releases/tag/v22.5.1
- https://github.com/nodejs/node/releases/tag/v22.5.0
- https://github.com/nodejs/node/releases/tag/v22.4.1
- https://github.com/nodejs/node/releases/tag/v22.3.0
- https://github.com/nodejs/node/releases/tag/v22.2.0
- https://github.com/nodejs/node/releases/tag/v22.1.0
- https://github.com/nodejs/node/releases/tag/v22.0.0
- https://github.com/yarnpkg/yarn/releases/tag/v1.22.22
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22020
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36137
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36138
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22018
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37372
SRPMS
9/core
- nodejs-22.6.0-1.mga9
- yarnpkg-1.22.22-0.10.8.2.1.mga9