--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-de515f765f
2022-11-29 00:55:09.553235
--------------------------------------------------------------------------------
Name : nodejs
Product : Fedora 35
Version : 16.18.1
Release : 1.fc35
URL :
http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.
--------------------------------------------------------------------------------
Update Information:
November 2022 Security Updates
https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/ ----
[September Security Updates for
Node.js](https://nodejs.org/en/blog/vulnerability/september-2022-security-
releases/) ---- Update to Node.js 16.17.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#...
---- Fix dependency typo ---- Update to 16.15.0 ---- Update to Node.js
16.14.1 Note that we will be skipping 16.14.2 since the only changes were in
the bundled copy of OpenSSL, which we do not use. The relevant security patches
are handled in Fedora's `openssl` package.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Nov 7 2022 Stephen Gallagher <sgallagh(a)redhat.com> 1:16.18.1-1
- Update to security release 16.18.1
* Thu Nov 3 2022 Stephen Gallagher <sgallagh(a)redhat.com> 1:16.17.1-3
- Update python3_fixup
* Fri Sep 23 2022 Stephen Gallagher <sgallagh(a)redhat.com> 1:16.17.1-2
- Backport nodejs-sources.sh
* Fri Sep 23 2022 Stephen Gallagher <sgallagh(a)redhat.com> 1:16.17.1-1
- Update to 16.17.1
* Thu Sep 15 2022 Stephen Gallagher <sgallagh(a)redhat.com> 1:16.17.0-3
- Drop epel7 from package.cfg
* Thu Sep 15 2022 Stephen Gallagher <sgallagh(a)redhat.com> 1:16.17.0-2
- Simplify manpage packaging
* Wed Sep 14 2022 Stephen Gallagher <sgallagh(a)redhat.com> 1:16.17.0-1
- Update to Node.js 16.17.0
-
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#
16.17.0
* Fri Jul 15 2022 Stephen Gallagher <sgallagh(a)redhat.com> 1:16.16.0-1
- Update to 16.16.0
* Mon Jul 11 2022 Stephen Gallagher <sgallagh(a)redhat.com> 1:16.15.1-2
- Backport nodejs-sources.sh from 18
* Mon Jun 13 2022 Stephen Gallagher <sgallagh(a)redhat.com> - 1:16.15.1-1
- Update to Node.js 16.15.1
- Re-enable LTO build
* Fri May 6 2022 Stephen Gallagher <sgallagh(a)redhat.com> - 1:16.15.0-3
- Fix incorrect epoch in v8-devel dependency
* Fri Apr 29 2022 Stephen Gallagher <sgallagh(a)redhat.com> - 1:16.15.0-2
- Fix file conflicts.
- Make dependency on nodejs-libs more strict.
* Wed Apr 27 2022 Stephen Gallagher <sgallagh(a)redhat.com> - 1:16.15.0-1
- Update to Node.js 16.15.0
- Stop carrying full ICU sources now that the binary data is available
- Properly version the v8 virtual Provides
- Bundle nghttp2
* Mon Apr 4 2022 Jan Stan��k <jstanek(a)redhat.com> - 16.14.1-2
- Unify configure.py calls into single command
- Refactor bootstrap-related parts
- Decouple dependency bundling from bootstrapping
* Thu Mar 17 2022 Stephen Gallagher <sgallagh(a)redhat.com> - 1:16.14.1-1
- Update to Node.js 16.14.1
- Drop corepack
* Thu Mar 3 2022 Zuzana Svetlikova <zsvetlik(a)redhat.com> - 1:16.14.0-3
- Build without corepack
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2105422 - CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP
addresses
https://bugzilla.redhat.com/show_bug.cgi?id=2105422
[ 2 ] Bug #2105426 - CVE-2022-32215 nodejs: HTTP request smuggling due to incorrect
parsing of multi-line Transfer-Encoding
https://bugzilla.redhat.com/show_bug.cgi?id=2105426
[ 3 ] Bug #2105430 - CVE-2022-32213 nodejs: HTTP request smuggling due to flawed parsing
of Transfer-Encoding
https://bugzilla.redhat.com/show_bug.cgi?id=2105430
[ 4 ] Bug #2130517 - CVE-2022-35255 nodejs: weak randomness in WebCrypto keygen
https://bugzilla.redhat.com/show_bug.cgi?id=2130517
[ 5 ] Bug #2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect
parsing of header fields
https://bugzilla.redhat.com/show_bug.cgi?id=2130518
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-de515f765f' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------