Fedora 38 Security Advisory: Node.js16 Critical Fixes and Updates

Node.js is a platform built on Chrome's JavaScript runtime \

for easily building fast, scalable network applications. \

Node.js uses an event-driven, non-blocking I/O model that \

makes it lightweight and efficient, perfect for data-intensive \

real-time applications that run across distributed devices.}

Fixes for virtual Provides/Requires of `nodejs` and `nodejs-devel` ----Assorted fixes for v8-devel ---- Update to 19.8.1 Fix confilct with nodejs18

---- ## 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau This is a

security release. ### Notable Changes The following CVEs are fixed in this

release: * **[CVE-2023-23918](https://www.cve.org/CVERecord?id=CVE-2023-23918)**: Node.js Permissions policies can be

bypassed via process.mainModule (High) *

**[CVE-2023-23919](https://www.cve.org/CVERecord?id=CVE-2023-23919)**: Node.js OpenSSL error handling issues in

nodejs crypto library (Medium) * **[CVE-2023-23920](https://www.cve.org/CVERecord?id=CVE-2023-23920)**: Node.js insecure loading of ICU data

through ICU\_DATA environment variable (Low) Fixed by an update to undici: *

**[CVE-2023-23936](https://www.cve.org/CVERecord?id=CVE-2023-23936)**: Fetch API in Node.js did not protect

against CRLF injection in host headers (Medium) * See

for

more information. * **[CVE-2023-24807](https://www.cve.org/CVERecord?id=CVE-2023-24807)**: Regular Expression Denial of Service in

Headers in Node.js fetch API (Low) * See

for

more information. More detailed information on each of the vulnerabilities can

be found in [February 2023 Security

Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/) blog post. This security release includes OpenSSL security updates

as outlined in the recent [OpenSSL security

advisory](https://openssl-library.org/news/secadv/20230207.txt). ### Commits *

\[[`7fef050447`](https://github.com/nodejs/node/commit/7fef050447)] - **build**:

build ICU with ICU\_NO\_USER\_DATA\_OVERRIDE (RafaelGSS) [nodejs-private/node-private#374]() *

\[[`b558e9f476`](https://github.com/nodejs/node/commit/b558e9f476)] -**crypto**: clear OpenSSL error on invalid ca cert (RafaelGSS) [nodejs-private/node-private#375]() *

\[[`160adb7ffc`](https://github.com/nodejs/node/commit/160adb7ffc)] -**crypto**: clear OpenSSL error queue after calling X509\_check\_private\_key()

(Filip Skokan) [#45495](https://github.com/nodejs/node/pull/45495) *

\[[`d0ece30948`](https://github.com/nodejs/node/commit/d0ece30948)] -**crypto**: clear OpenSSL error queue after calling X509\_verify() (Takuro Sato)

[#45377](https://github.com/nodejs/node/pull/45377) *

\[[`2d9ae4f184`](https://github.com/nodejs/node/commit/2d9ae4f184)] - **deps**:

update undici to v5.19.1 (Matteo Collina) [nodejs-private/node-private#388]() *

\[[`d80e8312fd`](https://github.com/nodejs/node/commit/d80e8312fd)] - **deps**:

cherry-pick Windows ARM64 fix for openssl (Richard Lau)

[#46568](https://github.com/nodejs/node/pull/46568) *

\[[`de5c8d2c2f`](https://github.com/nodejs/node/commit/de5c8d2c2f)] - **deps**:

update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS)

[#46568](https://github.com/nodejs/node/pull/46568) *

\[[`1a8ccfe908`](https://github.com/nodejs/node/commit/1a8ccfe908)] - **deps**:

upgrade openssl sources to OpenSSL\_1\_1\_1t+quic (RafaelGSS)

[#46568](https://github.com/nodejs/node/pull/46568) *

\[[`693789780b`](https://github.com/nodejs/node/commit/693789780b)] - **doc**:

clarify release notes for Node.js 16.19.0 (Richard Lau)

[#45846](https://github.com/nodejs/node/pull/45846) *

\[[`f95ef064f4`](https://github.com/nodejs/node/commit/f95ef064f4)] - **lib**:

makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs-private/node-private#358]() *

\[[`b02d895137`](https://github.com/nodejs/node/commit/b02d895137)] -**policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs-private/node-private#358]() *

\[[`d7f83c420c`](https://github.com/nodejs/node/commit/d7f83c420c)] - **test**:

avoid left behind child processes (Richard Lau)

[#46276](https://github.com/nodejs/node/pull/46276)

* Mon Apr 3 2023 Stephen Gallagher - 1:16.20.0-2

- Adjust nodejs-devel Provides

* Thu Mar 30 2023 Stephen Gallagher - 1:16.20.0-1

- Update to 16.20.0

* Mon Mar 27 2023 Stephen Gallagher - 1:16.19.1-7

- Fix build issue on non-default releases

* Mon Mar 27 2023 Stephen Gallagher - 1:16.19.1-6

- Fix libv8 packaging issue

* Thu Mar 16 2023 Stephen Gallagher - 1:16.19.1-5

- Namespace the v8 compatibility libraries

* Wed Mar 1 2023 Stephen Gallagher - 1:16.19.1-4

- sources: re-sync to nodejs20

* Thu Feb 23 2023 Stephen Gallagher - 1:16.19.1-3

- Fix an incompatibility with GCC 13+

- The Makefile patch is also no longer needed since we switched to ninja.

* Tue Feb 21 2023 Stephen Gallagher - 1:16.19.1-2

- Update to latest nodejs-sources.sh

* Fri Feb 17 2023 Stephen Gallagher - 1:16.19.1-1

- Update to 16.19.1

-

16.19.1

- packaging: Drop vestigial package.cfg file.

- packaging: Make nodejs-sources.sh clean up after itself

* Mon Jan 23 2023 Stephen Gallagher - 1:16.19.0-5

- Upload sources correctly

* Mon Jan 23 2023 Stephen Gallagher - 1:16.19.0-4

- Rework nodejs-sources.sh

* Mon Jan 23 2023 Stephen Gallagher - 1:16.19.0-3

- Fix v8 symlinks

* Thu Jan 19 2023 Fedora Release Engineering - 1:16.19.0-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild

su -c 'dnf upgrade --advisory FEDORA-2023-973319d5b7' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam, report it: