What Are You Looking For?

Popular Tags

Sign Up
MGASA-2023-0226 - Updated nodejs packages fix security vulnerability

Publication date: 07 Jul 2023
URL: https://advisories.mageia.org/MGASA-2023-0226.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2023-30581,
     CVE-2023-30582,
     CVE-2023-30583,
     CVE-2023-30584,
     CVE-2023-30585,
     CVE-2023-30586,
     CVE-2023-30587,
     CVE-2023-30588,
     CVE-2023-30589,
     CVE-2023-30590

Current nodejs 14 branch in Mageia 8 is end of life and there are no more
security updates.

This release allows to move to the new nodejs 18 LTS branch and fixes the
following CVEs
CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism
(High)
CVE-2023-30585: Privilege escalation via Malicious Registry Key
manipulation during Node.js installer repair process (Medium)
CVE-2023-30588: Process interuption due to invalid Public Key information
in x509 certificates (Medium)
CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR
(Medium)
CVE-2023-30590: DiffieHellman does not generate keys after setting a
private key (Medium)
OpenSSL Security Releases
 OpenSSL security advisory 28th March.
 OpenSSL security advisory 20th April.
 OpenSSL security advisory 30th May
c-ares vulnerabilities:
 GHSA-9g78-jv2r-p7vc
 GHSA-8r8p-23f3-64c2
 GHSA-54xr-f67r-4pc4
 GHSA-x6mf-cxr9-8q6v

References:
- https://bugs.mageia.org/show_bug.cgi?id=32047
- https://github.com/nodejs/node/releases/tag/v18.16.1
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30582
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30583
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30584
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30586
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30587
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590

SRPMS:
- 8/core/nodejs-18.16.1-1.mga8

Mageia 2023-0226: nodejs security update

Current nodejs 14 branch in Mageia 8 is end of life and there are no more security updates

Summary

Current nodejs 14 branch in Mageia 8 is end of life and there are no more security updates.
This release allows to move to the new nodejs 18 LTS branch and fixes the following CVEs CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High) CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium) CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium) CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium) OpenSSL Security Releases OpenSSL security advisory 28th March. OpenSSL security advisory 20th April. OpenSSL security advisory 30th May c-ares vulnerabilities: GHSA-9g78-jv2r-p7vc GHSA-8r8p-23f3-64c2 GHSA-54xr-f67r-4pc4 GHSA-x6mf-cxr9-8q6v

References

- https://bugs.mageia.org/show_bug.cgi?id=32047

- https://github.com/nodejs/node/releases/tag/v18.16.1

- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30582

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30583

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30584

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30586

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30587

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590

Resolution

MGASA-2023-0226 - Updated nodejs packages fix security vulnerability

SRPMS

- 8/core/nodejs-18.16.1-1.mga8

Severity
Publication date: 07 Jul 2023
URL: https://advisories.mageia.org/MGASA-2023-0226.html
Type: security
CVE: CVE-2023-30581, CVE-2023-30582, CVE-2023-30583, CVE-2023-30584, CVE-2023-30585, CVE-2023-30586, CVE-2023-30587, CVE-2023-30588, CVE-2023-30589, CVE-2023-30590

Related News

Critical Node.js Info Disclosure, Code Execution Bugs Fixed

Sep 23, 2023

GitHub Makes Passkeys Security Feature Available to All

Sep 23, 2023

Multiple Severe, Remotely Exploitable Chromium Vulns Fixed

Sep 15, 2023

Remotely Exploitable Poppler DoS Bugs Fixed - Update Now!

Sep 22, 2023

News

Advisories

HOWTOs

Features

The Unseen Potential of Wake-on-LAN
Linux Vulnerabilities: The Antidote to This Linux Security Poison
Preventing Linux DDoS Attacks with Minimal Cybersecurity Knowledge
Navigating Software Scalability: A Practical Guide to Building Scalable Systems with Linux
Unlocking the Secrets of Linux Security: An Expert Analysis

About Us

Powered By

Footer Logo

Feedback