--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2023-973319d5b7
2023-04-04 18:13:26.504631
--------------------------------------------------------------------------------Name        : nodejs18
Product     : Fedora 38
Version     : 18.15.0
Release     : 6.fc38
URL         : http://nodejs.org/
Summary     : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime \
for easily building fast, scalable network applications. \
Node.js uses an event-driven, non-blocking I/O model that \
makes it lightweight and efficient, perfect for data-intensive \
real-time applications that run across distributed devices.}

--------------------------------------------------------------------------------Update Information:

Fixes for virtual Provides/Requires of `nodejs` and `nodejs-devel`  ----Assorted fixes for v8-devel  ----  Update to 19.8.1  Fix confilct with nodejs18
----  ## 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau  This is a
security release.  ### Notable Changes  The following CVEs are fixed in this
release:  * **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be
bypassed via process.mainModule (High) *
**[CVE-2023-23919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in
nodejs crypto library (Medium) * **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data
through ICU\_DATA environment variable (Low)  Fixed by an update to undici:  *
**[CVE-2023-23936](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936)**: Fetch API in Node.js did not protect
against CRLF injection in host headers (Medium)   * See
 for
more information. * **[CVE-2023-24807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807)**: Regular Expression Denial of Service in
Headers in Node.js fetch API (Low)   * See
 for
more information.  More detailed information on each of the vulnerabilities can
be found in [February 2023 Security
Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/) blog post.  This security release includes OpenSSL security updates
as outlined in the recent [OpenSSL security
advisory](https://www.openssl.org/news/secadv/20230207.txt).  ### Commits  *
\[[`7fef050447`](https://github.com/nodejs/node/commit/7fef050447)] - **build**:
build ICU with ICU\_NO\_USER\_DATA\_OVERRIDE (RafaelGSS) [nodejs-private/node-private#374]() *
\[[`b558e9f476`](https://github.com/nodejs/node/commit/b558e9f476)] -**crypto**: clear OpenSSL error on invalid ca cert (RafaelGSS) [nodejs-private/node-private#375]() *
\[[`160adb7ffc`](https://github.com/nodejs/node/commit/160adb7ffc)%5D -**crypto**: clear OpenSSL error queue after calling X509\_check\_private\_key()
(Filip Skokan) [#45495](https://github.com/nodejs/node/pull/45495) *
\[[`d0ece30948`](https://github.com/nodejs/node/commit/d0ece30948)%5D -**crypto**: clear OpenSSL error queue after calling X509\_verify() (Takuro Sato)
[#45377](https://github.com/nodejs/node/pull/45377) *
\[[`2d9ae4f184`](https://github.com/nodejs/node/commit/2d9ae4f184)%5D - **deps**:
update undici to v5.19.1 (Matteo Collina) [nodejs-private/node-private#388]() *
\[[`d80e8312fd`](https://github.com/nodejs/node/commit/d80e8312fd)] - **deps**:
cherry-pick Windows ARM64 fix for openssl (Richard Lau)
[#46568](https://github.com/nodejs/node/pull/46568) *
\[[`de5c8d2c2f`](https://github.com/nodejs/node/commit/de5c8d2c2f)] - **deps**:
update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS)
[#46568](https://github.com/nodejs/node/pull/46568) *
\[[`1a8ccfe908`](https://github.com/nodejs/node/commit/1a8ccfe908)] - **deps**:
upgrade openssl sources to OpenSSL\_1\_1\_1t+quic (RafaelGSS)
[#46568](https://github.com/nodejs/node/pull/46568) *
\[[`693789780b`](https://github.com/nodejs/node/commit/693789780b)] - **doc**:
clarify release notes for Node.js 16.19.0 (Richard Lau)
[#45846](https://github.com/nodejs/node/pull/45846) *
\[[`f95ef064f4`](https://github.com/nodejs/node/commit/f95ef064f4)] - **lib**:
makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs-private/node-private#358]() *
\[[`b02d895137`](https://github.com/nodejs/node/commit/b02d895137)] -**policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs-private/node-private#358]() *
\[[`d7f83c420c`](https://github.com/nodejs/node/commit/d7f83c420c)] - **test**:
avoid left behind child processes (Richard Lau)
[#46276](https://github.com/nodejs/node/pull/46276)
--------------------------------------------------------------------------------ChangeLog:

* Mon Apr  3 2023 Stephen Gallagher  - 1:18.15.0-6
- Adjust nodejs-devel Provides
* Thu Mar 30 2023 Stephen Gallagher  - 1:18.15.0-5
- Pull in changes from nodejs20
* Mon Mar 27 2023 Stephen Gallagher  - 1:18.15.0-4
- Fix build issue on non-default releases
* Mon Mar 27 2023 Stephen Gallagher  - 1:18.15.0-3
- Fix libv8 packaging issue
* Thu Mar 16 2023 Stephen Gallagher  - 1:18.15.0-2
- Namespace the v8 compat libraries
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2023-973319d5b7' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/
Do not reply to spam, report it: https://pagure.io/login/

Fedora 38: nodejs18 2023-973319d5b7

April 4, 2023
Fixes for virtual Provides/Requires of `nodejs` and `nodejs-devel` ---- Assorted fixes for v8-devel ---- Update to 19.8.1 Fix confilct with nodejs18 ---- ## 2023-02-16, Version 16....

Summary

Node.js is a platform built on Chrome's JavaScript runtime \

for easily building fast, scalable network applications. \

Node.js uses an event-driven, non-blocking I/O model that \

makes it lightweight and efficient, perfect for data-intensive \

real-time applications that run across distributed devices.}

Fixes for virtual Provides/Requires of `nodejs` and `nodejs-devel` ----Assorted fixes for v8-devel ---- Update to 19.8.1 Fix confilct with nodejs18

---- ## 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau This is a

security release. ### Notable Changes The following CVEs are fixed in this

release: * **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be

bypassed via process.mainModule (High) *

**[CVE-2023-23919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in

nodejs crypto library (Medium) * **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data

through ICU\_DATA environment variable (Low) Fixed by an update to undici: *

**[CVE-2023-23936](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936)**: Fetch API in Node.js did not protect

against CRLF injection in host headers (Medium) * See

for

more information. * **[CVE-2023-24807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807)**: Regular Expression Denial of Service in

Headers in Node.js fetch API (Low) * See

for

more information. More detailed information on each of the vulnerabilities can

be found in [February 2023 Security

Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/) blog post. This security release includes OpenSSL security updates

as outlined in the recent [OpenSSL security

advisory](https://www.openssl.org/news/secadv/20230207.txt). ### Commits *

\[[`7fef050447`](https://github.com/nodejs/node/commit/7fef050447)] - **build**:

build ICU with ICU\_NO\_USER\_DATA\_OVERRIDE (RafaelGSS) [nodejs-private/node-private#374]() *

\[[`b558e9f476`](https://github.com/nodejs/node/commit/b558e9f476)] -**crypto**: clear OpenSSL error on invalid ca cert (RafaelGSS) [nodejs-private/node-private#375]() *

\[[`160adb7ffc`](https://github.com/nodejs/node/commit/160adb7ffc)%5D -**crypto**: clear OpenSSL error queue after calling X509\_check\_private\_key()

(Filip Skokan) [#45495](https://github.com/nodejs/node/pull/45495) *

\[[`d0ece30948`](https://github.com/nodejs/node/commit/d0ece30948)%5D -**crypto**: clear OpenSSL error queue after calling X509\_verify() (Takuro Sato)

[#45377](https://github.com/nodejs/node/pull/45377) *

\[[`2d9ae4f184`](https://github.com/nodejs/node/commit/2d9ae4f184)%5D - **deps**:

update undici to v5.19.1 (Matteo Collina) [nodejs-private/node-private#388]() *

\[[`d80e8312fd`](https://github.com/nodejs/node/commit/d80e8312fd)] - **deps**:

cherry-pick Windows ARM64 fix for openssl (Richard Lau)

[#46568](https://github.com/nodejs/node/pull/46568) *

\[[`de5c8d2c2f`](https://github.com/nodejs/node/commit/de5c8d2c2f)] - **deps**:

update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS)

[#46568](https://github.com/nodejs/node/pull/46568) *

\[[`1a8ccfe908`](https://github.com/nodejs/node/commit/1a8ccfe908)] - **deps**:

upgrade openssl sources to OpenSSL\_1\_1\_1t+quic (RafaelGSS)

[#46568](https://github.com/nodejs/node/pull/46568) *

\[[`693789780b`](https://github.com/nodejs/node/commit/693789780b)] - **doc**:

clarify release notes for Node.js 16.19.0 (Richard Lau)

[#45846](https://github.com/nodejs/node/pull/45846) *

\[[`f95ef064f4`](https://github.com/nodejs/node/commit/f95ef064f4)] - **lib**:

makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs-private/node-private#358]() *

\[[`b02d895137`](https://github.com/nodejs/node/commit/b02d895137)] -**policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs-private/node-private#358]() *

\[[`d7f83c420c`](https://github.com/nodejs/node/commit/d7f83c420c)] - **test**:

avoid left behind child processes (Richard Lau)

[#46276](https://github.com/nodejs/node/pull/46276)

* Mon Apr 3 2023 Stephen Gallagher - 1:18.15.0-6

- Adjust nodejs-devel Provides

* Thu Mar 30 2023 Stephen Gallagher - 1:18.15.0-5

- Pull in changes from nodejs20

* Mon Mar 27 2023 Stephen Gallagher - 1:18.15.0-4

- Fix build issue on non-default releases

* Mon Mar 27 2023 Stephen Gallagher - 1:18.15.0-3

- Fix libv8 packaging issue

* Thu Mar 16 2023 Stephen Gallagher - 1:18.15.0-2

- Namespace the v8 compat libraries

su -c 'dnf upgrade --advisory FEDORA-2023-973319d5b7' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam, report it: https://pagure.io/login/

FEDORA-2023-973319d5b7 2023-04-04 18:13:26.504631 Product : Fedora 38 Version : 18.15.0 Release : 6.fc38 URL : http://nodejs.org/ Summary : JavaScript runtime Description : Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.} Fixes for virtual Provides/Requires of `nodejs` and `nodejs-devel` ----Assorted fixes for v8-devel ---- Update to 19.8.1 Fix confilct with nodejs18 ---- ## 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau This is a security release. ### Notable Changes The following CVEs are fixed in this release: * **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High) * **[CVE-2023-23919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in nodejs crypto library (Medium) * **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU\_DATA environment variable (Low) Fixed by an update to undici: * **[CVE-2023-23936](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936)**: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium) * See for more information. * **[CVE-2023-24807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807)**: Regular Expression Denial of Service in Headers in Node.js fetch API (Low) * See for more information. More detailed information on each of the vulnerabilities can be found in [February 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/) blog post. This security release includes OpenSSL security updates as outlined in the recent [OpenSSL security advisory](https://www.openssl.org/news/secadv/20230207.txt). ### Commits * \[[`7fef050447`](https://github.com/nodejs/node/commit/7fef050447)] - **build**: build ICU with ICU\_NO\_USER\_DATA\_OVERRIDE (RafaelGSS) [nodejs-private/node-private#374]() * \[[`b558e9f476`](https://github.com/nodejs/node/commit/b558e9f476)] -**crypto**: clear OpenSSL error on invalid ca cert (RafaelGSS) [nodejs-private/node-private#375]() * \[[`160adb7ffc`](https://github.com/nodejs/node/commit/160adb7ffc)%5D -**crypto**: clear OpenSSL error queue after calling X509\_check\_private\_key() (Filip Skokan) [#45495](https://github.com/nodejs/node/pull/45495) * \[[`d0ece30948`](https://github.com/nodejs/node/commit/d0ece30948)%5D -**crypto**: clear OpenSSL error queue after calling X509\_verify() (Takuro Sato) [#45377](https://github.com/nodejs/node/pull/45377) * \[[`2d9ae4f184`](https://github.com/nodejs/node/commit/2d9ae4f184)%5D - **deps**: update undici to v5.19.1 (Matteo Collina) [nodejs-private/node-private#388]() * \[[`d80e8312fd`](https://github.com/nodejs/node/commit/d80e8312fd)] - **deps**: cherry-pick Windows ARM64 fix for openssl (Richard Lau) [#46568](https://github.com/nodejs/node/pull/46568) * \[[`de5c8d2c2f`](https://github.com/nodejs/node/commit/de5c8d2c2f)] - **deps**: update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS) [#46568](https://github.com/nodejs/node/pull/46568) * \[[`1a8ccfe908`](https://github.com/nodejs/node/commit/1a8ccfe908)] - **deps**: upgrade openssl sources to OpenSSL\_1\_1\_1t+quic (RafaelGSS) [#46568](https://github.com/nodejs/node/pull/46568) * \[[`693789780b`](https://github.com/nodejs/node/commit/693789780b)] - **doc**: clarify release notes for Node.js 16.19.0 (Richard Lau) [#45846](https://github.com/nodejs/node/pull/45846) * \[[`f95ef064f4`](https://github.com/nodejs/node/commit/f95ef064f4)] - **lib**: makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs-private/node-private#358]() * \[[`b02d895137`](https://github.com/nodejs/node/commit/b02d895137)] -**policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs-private/node-private#358]() * \[[`d7f83c420c`](https://github.com/nodejs/node/commit/d7f83c420c)] - **test**: avoid left behind child processes (Richard Lau) [#46276](https://github.com/nodejs/node/pull/46276) * Mon Apr 3 2023 Stephen Gallagher - 1:18.15.0-6 - Adjust nodejs-devel Provides * Thu Mar 30 2023 Stephen Gallagher - 1:18.15.0-5 - Pull in changes from nodejs20 * Mon Mar 27 2023 Stephen Gallagher - 1:18.15.0-4 - Fix build issue on non-default releases * Mon Mar 27 2023 Stephen Gallagher - 1:18.15.0-3 - Fix libv8 packaging issue * Thu Mar 16 2023 Stephen Gallagher - 1:18.15.0-2 - Namespace the v8 compat libraries su -c 'dnf upgrade --advisory FEDORA-2023-973319d5b7' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/ Do not reply to spam, report it: https://pagure.io/login/

Change Log

References

Update Instructions

Severity
Product : Fedora 38
Version : 18.15.0
Release : 6.fc38
URL : http://nodejs.org/
Summary : JavaScript runtime

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved