Fedora 37: 2022-1667f7b60a Critical: Node.js DNS Rebinding Issues

Node.js is a platform built on Chrome's JavaScript runtime

for easily building fast, scalable network applications.

Node.js uses an event-driven, non-blocking I/O model that

makes it lightweight and efficient, perfect for data-intensive

real-time applications that run across distributed devices.

November 2022 Security Updates

https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/ ----Update to 18.10.0

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.10.0

---- [September Security Updates for

Node.js](https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/) ---- Update to 18.9.0

* Mon Nov 7 2022 Stephen Gallagher 1:18.12.1-1

- Update to security release 18.12.1

* Tue Nov 1 2022 Stephen Gallagher 1:18.11.0-4

- Update python3_fixup

* Thu Oct 20 2022 Stephen Gallagher 1:18.11.0-3

- Move native module autorequires to nodejs-packaging

* Thu Oct 20 2022 Stephen Gallagher 1:18.11.0-2

- Fix symlinks

* Wed Oct 19 2022 Stephen Gallagher 1:18.11.0-1

- Update to 18.11.0

* Tue Oct 4 2022 Stephen Gallagher 1:18.10.0-1

- Update to 18.10.0

* Fri Sep 23 2022 Stephen Gallagher 1:18.9.1-1

- Fix incorrect version number

* Fri Sep 23 2022 Stephen Gallagher 1:18.9.0-4

- Update to 18.9.1

* Thu Sep 15 2022 Stephen Gallagher 1:18.9.0-3

- Simplify manpage packaging

* Wed Sep 14 2022 Stephen Gallagher 1:18.9.0-2

- Add f37 to package.cfg

* Wed Sep 14 2022 Stephen Gallagher 1:18.9.0-1

- Update to Node.js 18.9.0

- https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#

18.9.0

- https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#

18.8.0

[ 1 ] Bug #2105422 - CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP addresses

https://bugzilla.redhat.com/show_bug.cgi?id=2105422

[ 2 ] Bug #2105426 - CVE-2022-32215 nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding

https://bugzilla.redhat.com/show_bug.cgi?id=2105426

[ 3 ] Bug #2105430 - CVE-2022-32213 nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding

https://bugzilla.redhat.com/show_bug.cgi?id=2105430

[ 4 ] Bug #2130517 - CVE-2022-35255 nodejs: weak randomness in WebCrypto keygen

https://bugzilla.redhat.com/show_bug.cgi?id=2130517

[ 5 ] Bug #2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

https://bugzilla.redhat.com/show_bug.cgi?id=2130518

su -c 'dnf upgrade --advisory FEDORA-2022-1667f7b60a' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam, report it: