1. Home
  2. Security Advisories
  3. Fedora
  4. FEDORA-2023-973319d5b7

[FEDORA-2023-973319d5b7] Fedora 38: nodejs18, nodejs16, nodejs20

Severity High
Affected Packages 3
CVEs 5
Info Packages Vulnerabilities

Fixes for virtual Provides/Requires of nodejs and nodejs-devel ----
Assorted fixes for v8-devel ---- Update to 19.8.1 Fix confilct with nodejs18
---- ## 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau This is a
security release. ### Notable Changes The following CVEs are fixed in this
release: * CVE-2023-23918: Node.js Permissions policies can be
bypassed via process.mainModule (High) *
CVE-2023-23919: Node.js OpenSSL error handling issues in
nodejs crypto library (Medium) * CVE-2023-23920: Node.js insecure loading of ICU data
through ICU_DATA environment variable (Low) Fixed by an update to undici: *
CVE-2023-23936: Fetch API in Node.js did not protect
against CRLF injection in host headers (Medium) * See
https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff for
more information. * CVE-2023-24807: Regular Expression Denial of Service in
Headers in Node.js fetch API (Low) * See
https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w for
more information. More detailed information on each of the vulnerabilities can
be found in February 2023 Security
Releases blog post. This security release includes OpenSSL security updates
as outlined in the recent OpenSSL security
advisory. ### Commits *
[7fef050447] - build:
build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) nodejs-private/node-
private#374 *
[b558e9f476] -
crypto: clear OpenSSL error on invalid ca cert (RafaelGSS) nodejs-
private/node-private#375 *
[160adb7ffc] -
crypto: clear OpenSSL error queue after calling X509_check_private_key()
(Filip Skokan) #45495 *
[d0ece30948] -
crypto: clear OpenSSL error queue after calling X509_verify() (Takuro Sato)
#45377 *
[2d9ae4f184] - deps:
update undici to v5.19.1 (Matteo Collina) nodejs-private/node-
private#388 *
[d80e8312fd] - deps:
cherry-pick Windows ARM64 fix for openssl (Richard Lau)
#46568 *
[de5c8d2c2f] - deps:
update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS)
#46568 *
[1a8ccfe908] - deps:
upgrade openssl sources to OpenSSL_1_1_1t+quic (RafaelGSS)
#46568 *
[693789780b] - doc:
clarify release notes for Node.js 16.19.0 (Richard Lau)
#45846 *
[f95ef064f4] - lib:
makeRequireFunction patch when experimental policy (RafaelGSS) nodejs-
private/node-private#358 *
[b02d895137] -
policy: makeRequireFunction on mainModule.require (RafaelGSS) nodejs-
private/node-private#358 *
[d7f83c420c] - test:
avoid left behind child processes (Richard Lau)
#46276

Package Affected Version
pkg:rpm/fedora/nodejs20?distro=fedora-38 < 19.8.1.7.fc38
pkg:rpm/fedora/nodejs18?distro=fedora-38 < 18.15.0.6.fc38
pkg:rpm/fedora/nodejs16?distro=fedora-38 < 16.20.0.2.fc38
ID
FEDORA-2023-973319d5b7
Severity
high
Severity from
CVE-2023-23918
URL
https://bodhi.fedoraproject.org/updates/FEDORA-2023-973319d5b7
Published
2023-04-04T18:17:01
(17 months ago)
Modified
2023-04-04T18:17:01
(17 months ago)
Rights
Copyright 2023 Red Hat, Inc.
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:rpm/fedora/nodejs20?distro=fedora-38 fedora nodejs20 < 19.8.1.7.fc38 fedora-38
Affected pkg:rpm/fedora/nodejs18?distro=fedora-38 fedora nodejs18 < 18.15.0.6.fc38 fedora-38
Affected pkg:rpm/fedora/nodejs16?distro=fedora-38 fedora nodejs16 < 16.20.0.2.fc38 fedora-38
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date