[SECURITY] Fedora 35 Update: nodejs-16.18.1-1.fc35

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2022-de515f765f 2022-11-29 00:55:09.553235 -------------------------------------------------------------------------------- Name : nodejs Product : Fedora 35 Version : 16.18.1 Release : 1.fc35 URL : http://nodejs.org/ Summary : JavaScript runtime Description : Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. -------------------------------------------------------------------------------- Update Information: November 2022 Security Updates https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/ ---- [September Security Updates for Node.js](https://nodejs.org/en/blog/vulnerability/september-2022-security- releases/) ---- Update to Node.js 16.17.0 https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#... ---- Fix dependency typo ---- Update to 16.15.0 ---- Update to Node.js 16.14.1 Note that we will be skipping 16.14.2 since the only changes were in the bundled copy of OpenSSL, which we do not use. The relevant security patches are handled in Fedora's `openssl` package. -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 7 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; 1:16.18.1-1 - Update to security release 16.18.1 * Thu Nov 3 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; 1:16.17.1-3 - Update python3_fixup * Fri Sep 23 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; 1:16.17.1-2 - Backport nodejs-sources.sh * Fri Sep 23 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; 1:16.17.1-1 - Update to 16.17.1 * Thu Sep 15 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; 1:16.17.0-3 - Drop epel7 from package.cfg * Thu Sep 15 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; 1:16.17.0-2 - Simplify manpage packaging * Wed Sep 14 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; 1:16.17.0-1 - Update to Node.js 16.17.0 - https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md# 16.17.0 * Fri Jul 15 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; 1:16.16.0-1 - Update to 16.16.0 * Mon Jul 11 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; 1:16.15.1-2 - Backport nodejs-sources.sh from 18 * Mon Jun 13 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; - 1:16.15.1-1 - Update to Node.js 16.15.1 - Re-enable LTO build * Fri May 6 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; - 1:16.15.0-3 - Fix incorrect epoch in v8-devel dependency * Fri Apr 29 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; - 1:16.15.0-2 - Fix file conflicts. - Make dependency on nodejs-libs more strict. * Wed Apr 27 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; - 1:16.15.0-1 - Update to Node.js 16.15.0 - Stop carrying full ICU sources now that the binary data is available - Properly version the v8 virtual Provides - Bundle nghttp2 * Mon Apr 4 2022 Jan Stan��k <jstanek(a)redhat.com&gt; - 16.14.1-2 - Unify configure.py calls into single command - Refactor bootstrap-related parts - Decouple dependency bundling from bootstrapping * Thu Mar 17 2022 Stephen Gallagher <sgallagh(a)redhat.com&gt; - 1:16.14.1-1 - Update to Node.js 16.14.1 - Drop corepack * Thu Mar 3 2022 Zuzana Svetlikova <zsvetlik(a)redhat.com&gt; - 1:16.14.0-3 - Build without corepack -------------------------------------------------------------------------------- References: [ 1 ] Bug #2105422 - CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP addresses https://bugzilla.redhat.com/show_bug.cgi?id=2105422 [ 2 ] Bug #2105426 - CVE-2022-32215 nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding https://bugzilla.redhat.com/show_bug.cgi?id=2105426 [ 3 ] Bug #2105430 - CVE-2022-32213 nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding https://bugzilla.redhat.com/show_bug.cgi?id=2105430 [ 4 ] Bug #2130517 - CVE-2022-35255 nodejs: weak randomness in WebCrypto keygen https://bugzilla.redhat.com/show_bug.cgi?id=2130517 [ 5 ] Bug #2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields https://bugzilla.redhat.com/show_bug.cgi?id=2130518 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-de515f765f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------