[FEDORA-2023-18476abd7e] Fedora 37: nodejs18, nodejs16, nodejs20

https://nodejs.org/en/blog/vulnerability/august-2023-security-releases Security
releases available Updates are now available for the v16.x, v18.x, and v20.x
Node.js release lines for the following issues. Permissions policies can be
bypassed via Module._load (HIGH)(CVE-2023-32002) The use of Module._load() can
bypass the policy mechanism and require modules outside of the policy.json
definition for a given module. Please note that at the time this CVE was
issued, the policy mechanism is an experimental feature of Node.js. Impacts:
This vulnerability affects all users using the experimental policy mechanism in
all active release lines: 16.x, 18.x and, 20.x. Thank you, to mattaustin for
reporting this vulnerability and thank you Rafael Gonzaga and Bradley Farias for
fixing it. Permission model bypass by specifying a path traversal sequence in a
Buffer (HIGH)(CVE-2023-32004) A vulnerability has been discovered in Node.js
version 20, specifically within the experimental permission model. This flaw
relates to improper handling of Buffers in file system APIs causing a traversal
path to bypass when verifying file permissions. Please note that at the time
this CVE was issued, the permission model is an experimental feature of Node.js.
Impacts: This vulnerability affects all users using the experimental permission
model in Node.js 20. Thank you, to Axel Chong for reporting this vulnerability
and thank you Rafael Gonzaga for fixing it. process.binding() can bypass the
permission model through path traversal (HIGH)(CVE-2023-32558) The use of the
deprecated API process.binding() can bypass the permission model through path
traversal. Please note that at the time this CVE was issued, the permission
model is an experimental feature of Node.js. Impacts: This vulnerability
affects all users using the experimental permission model in Node.js 20. Thank
you to Rafael Gonzaga for reporting and fixing this vulnerability. Permissions
policies can impersonate other modules in using
module.constructor.createRequire() (MEDIUM)(CVE-2023-32006) The use of
module.constructor.createRequire() can bypass the policy mechanism and require
modules outside of the policy.json definition for a given module. Please note
that at the time this CVE was issued, the policy mechanism is an experimental
feature of Node.js. Impacts: This vulnerability affects all users using the
experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael
Gonzaga and Bradley Farias for fixing it. Permissions policies can be bypassed
via process.binding (MEDIUM)(CVE-2023-32559) The use of the deprecated API
process.binding() can bypass the policy mechanism by requiring internal modules
and eventually take advantage of process.binding('spawn_sync') run arbitrary
code, outside of the limits defined in a policy.json file. Please note that at
the time this CVE was issued, the policy is an experimental feature of Node.js.
Impacts This vulnerability affects all users using the experimental policy
mechanism in all active release lines: 16.x, 18.x and, 20.x. Thank you, to
LeoDog896 for reporting this vulnerability and thank you Tobias Nie��en for
fixing it. fs.statfs can retrive stats from files restricted by the Permission
Model (LOW)(CVE-2023-32005) A vulnerability has been identified in Node.js
version 20, affecting users of the experimental permission model when the
--allow-fs-read flag is used with a non-* argument. This flaw arises from an
inadequate permission model that fails to restrict file stats through the
fs.statfs API. As a result, malicious actors can retrieve stats from files that
they do not have explicit read access to. Please note that at the time this CVE
was issued, the permission model is an experimental feature of Node.js.
Impacts: This vulnerability affects all users using the experimental permission
model in Node.js 20. Thank you to Rafael Gonzaga for reporting and fixing this
vulnerability. fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath()
checks (LOW)(CVE-2023-32003) fs.mkdtemp() and fs.mkdtempSync() can be used to
bypass the permission model check using a path traversal attack. This flaw
arises from a missing check in the fs.mkdtemp() API and the impact is a
malicious actor could create an arbitrary directory. Please note that at the
time this CVE was issued, the permission model is an experimental feature of
Node.js. Impacts: This vulnerability affects all users using the experimental
permission model in Node.js 20. Thank you, to Axel Chong for reporting this
vulnerability and thank you Rafael Gonzaga for fixing it. Downloads and release
details Node.js v16.20.2 (LTS) Node.js v18.17.1 (LTS) Node.js v20.5.1 (Current)
(Update 08-Aug-2023) Security Release target August 9th The Node.js Security
Releases will be available on, or shortly after, Wednesday, August 9th, 2023.
Summary The Node.js project will release new versions of the 16.x, 18.x and 20.x
releases lines on or shortly after, Tuesday August 8th 2023 in order to address:
3 high severity issues. 2 medium severity issues. 2 low severity issues. OpenSSL
Security updates This security release includes the following OpenSSL security
updates OpenSSL security advisory 14th July. OpenSSL security advisory 19th
July. OpenSSL security advisory 31st July. Impact The 20.x release line of
Node.js is vulnerable to 3 high severity issues, 2 medium severity issues, and 2
low severity issues. The 18.x release line of Node.js is vulnerable to 1 high
severity issue, and 2 medium severity issues. The 16.x release line of Node.js
is vulnerable to 1 high severity issue, and 2 medium severity issues.