--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2023-973319d5b7
2023-04-04 18:13:26.504631
--------------------------------------------------------------------------------
Name : nodejs18
Product : Fedora 38
Version : 18.15.0
Release : 6.fc38
URL :
http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime \
for easily building fast, scalable network applications. \
Node.js uses an event-driven, non-blocking I/O model that \
makes it lightweight and efficient, perfect for data-intensive \
real-time applications that run across distributed devices.}
--------------------------------------------------------------------------------
Update Information:
Fixes for virtual Provides/Requires of `nodejs` and `nodejs-devel` ----
Assorted fixes for v8-devel ---- Update to 19.8.1 Fix confilct with nodejs18
---- ## 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau This is a
security release. ### Notable Changes The following CVEs are fixed in this
release: * **[CVE-2023-23918](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be
bypassed via process.mainModule (High) *
**[CVE-2023-23919](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in
nodejs crypto library (Medium) * **[CVE-2023-23920](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data
through ICU\_DATA environment variable (Low) Fixed by an update to undici: *
**[CVE-2023-23936](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2023-23936)**: Fetch API in Node.js did not protect
against CRLF injection in host headers (Medium) * See
<
https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff> for
more information. * **[CVE-2023-24807](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2023-24807)**: Regular Expression Denial of Service in
Headers in Node.js fetch API (Low) * See
<
https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w> for
more information. More detailed information on each of the vulnerabilities can
be found in [February 2023 Security
Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security-
releases/) blog post. This security release includes OpenSSL security updates
as outlined in the recent [OpenSSL security
advisory](https://www.openssl.org/news/secadv/20230207.txt). ### Commits *
\[[`7fef050447`](https://github.com/nodejs/node/commit/7fef050447)] - **build**:
build ICU with ICU\_NO\_USER\_DATA\_OVERRIDE (RafaelGSS) [nodejs-private/node-
private#374](https://github.com/nodejs-private/node-private/pull/374) *
\[[`b558e9f476`](https://github.com/nodejs/node/commit/b558e9f476)] -
**crypto**: clear OpenSSL error on invalid ca cert (RafaelGSS) [nodejs-
private/node-private#375](https://github.com/nodejs-private/node-
private/pull/375) *
\[[`160adb7ffc`](https://github.com/nodejs/node/commit/160adb7ffc)] -
**crypto**: clear OpenSSL error queue after calling X509\_check\_private\_key()
(Filip Skokan) [#45495](https://github.com/nodejs/node/pull/45495) *
\[[`d0ece30948`](https://github.com/nodejs/node/commit/d0ece30948)] -
**crypto**: clear OpenSSL error queue after calling X509\_verify() (Takuro Sato)
[#45377](https://github.com/nodejs/node/pull/45377) *
\[[`2d9ae4f184`](https://github.com/nodejs/node/commit/2d9ae4f184)] - **deps**:
update undici to v5.19.1 (Matteo Collina) [nodejs-private/node-
private#388](https://github.com/nodejs-private/node-private/pull/388) *
\[[`d80e8312fd`](https://github.com/nodejs/node/commit/d80e8312fd)] - **deps**:
cherry-pick Windows ARM64 fix for openssl (Richard Lau)
[#46568](https://github.com/nodejs/node/pull/46568) *
\[[`de5c8d2c2f`](https://github.com/nodejs/node/commit/de5c8d2c2f)] - **deps**:
update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS)
[#46568](https://github.com/nodejs/node/pull/46568) *
\[[`1a8ccfe908`](https://github.com/nodejs/node/commit/1a8ccfe908)] - **deps**:
upgrade openssl sources to OpenSSL\_1\_1\_1t+quic (RafaelGSS)
[#46568](https://github.com/nodejs/node/pull/46568) *
\[[`693789780b`](https://github.com/nodejs/node/commit/693789780b)] - **doc**:
clarify release notes for Node.js 16.19.0 (Richard Lau)
[#45846](https://github.com/nodejs/node/pull/45846) *
\[[`f95ef064f4`](https://github.com/nodejs/node/commit/f95ef064f4)] - **lib**:
makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs-
private/node-private#358](https://github.com/nodejs-private/node-
private/pull/358) *
\[[`b02d895137`](https://github.com/nodejs/node/commit/b02d895137)] -
**policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs-
private/node-private#358](https://github.com/nodejs-private/node-
private/pull/358) *
\[[`d7f83c420c`](https://github.com/nodejs/node/commit/d7f83c420c)] - **test**:
avoid left behind child processes (Richard Lau)
[#46276](https://github.com/nodejs/node/pull/46276)
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 3 2023 Stephen Gallagher <sgallagh(a)redhat.com> - 1:18.15.0-6
- Adjust nodejs-devel Provides
* Thu Mar 30 2023 Stephen Gallagher <sgallagh(a)redhat.com> - 1:18.15.0-5
- Pull in changes from nodejs20
* Mon Mar 27 2023 Stephen Gallagher <sgallagh(a)redhat.com> - 1:18.15.0-4
- Fix build issue on non-default releases
* Mon Mar 27 2023 Stephen Gallagher <sgallagh(a)redhat.com> - 1:18.15.0-3
- Fix libv8 packaging issue
* Thu Mar 16 2023 Stephen Gallagher <sgallagh(a)redhat.com> - 1:18.15.0-2
- Namespace the v8 compat libraries
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2023-973319d5b7' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------