[SECURITY] Fedora 39 Update: nodejs20-20.8.1-1.fc39

Friday, 3 November 2023

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2023-7b52921cae
2023-11-03 18:20:20.955354
--------------------------------------------------------------------------------

Name        : nodejs20
Product     : Fedora 39
Version     : 20.8.1
Release     : 1.fc39
URL         : http://nodejs.org/
Summary     : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime \
for easily building fast, scalable network applications. \
Node.js uses an event-driven, non-blocking I/O model that \
makes it lightweight and efficient, perfect for data-intensive \
real-time applications that run across distributed devices.}

--------------------------------------------------------------------------------
Update Information:

## 2023-10-13, Version 20.8.1 (Current), @RafaelGSS  This is a security release.
### Notable Changes  The following CVEs are fixed in this release:  *
[CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4...:
`nghttp2` Security Release (High) * [CVE-2023-45143](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) *
[CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3...:
Path traversal through path stored in Uint8Array (High) *
[CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3...:
Permission model improperly protects against path traversal (High) *
[CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3...:
Integrity checks according to policies can be circumvented (Medium) *
[CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3...:
Code injection via WebAssembly export names (Low)  More detailed information on
each of the vulnerabilities can be found in [October 2023 Security
Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-
releases/) blog post.  ----  ## 2023-09-28, Version 20.8.0 (Current), @ruyadorno
### Notable Changes  #### Stream performance improvements  Performance
improvements to writable and readable streams, improving the creation and
destruction by ��15% and reducing the memory overhead each stream takes in
Node.js  Contributed by Benjamin Gruenbaum in
[#49745](https://github.com/nodejs/node/pull/49745) and Raz Luvaton in
[#49834](https://github.com/nodejs/node/pull/49834).  Performance improvements
for readable webstream, improving readable stream async iterator consumption by
��140% and improving readable stream `pipeTo` consumption by ��60%  Contributed by
Raz Luvaton in [#49662](https://github.com/nodejs/node/pull/49662) and
[#49690](https://github.com/nodejs/node/pull/49690).  #### Rework of memory
management in `vm` APIs with the `importModuleDynamically` option  This rework
addressed a series of long-standing memory leaks and use-after-free issues in
the following APIs that support `importModuleDynamically`:  * `vm.Script` *
`vm.compileFunction` * `vm.SyntheticModule` * `vm.SourceTextModule`  This should
enable affected users (in particular Jest users) to upgrade from older versions
of Node.js.  Contributed by Joyee Cheung in
[#48510](https://github.com/nodejs/node/pull/48510).  #### Other notable changes
* \[[`32d4d29d02`](https://github.com/nodejs/node/commit/32d4d29d02)] -
**deps**: add v8::Object::SetInternalFieldForNodeCore() (Joyee Cheung)
[#49874](https://github.com/nodejs/node/pull/49874) *
\[[`0e686d096b`](https://github.com/nodejs/node/commit/0e686d096b)] - **doc**:
deprecate `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros)
[#49683](https://github.com/nodejs/node/pull/49683) *
\[[`a5dd057540`](https://github.com/nodejs/node/commit/a5dd057540)] - **doc**:
deprecate `util.toUSVString` (Yagiz Nizipli)
[#49725](https://github.com/nodejs/node/pull/49725) *
\[[`7b6a73172f`](https://github.com/nodejs/node/commit/7b6a73172f)] - **doc**:
deprecate calling `promisify` on a function that returns a promise (Antoine du
Hamel) [#49647](https://github.com/nodejs/node/pull/49647) *
\[[`1beefd5f16`](https://github.com/nodejs/node/commit/1beefd5f16)] - **esm**:
set all hooks as release candidate (Geoffrey Booth)
[#49597](https://github.com/nodejs/node/pull/49597) *
\[[`b0ce78a75b`](https://github.com/nodejs/node/commit/b0ce78a75b)] -
**module**: fix the leak in SourceTextModule and ContextifySript (Joyee Cheung)
[#48510](https://github.com/nodejs/node/pull/48510) *
\[[`4e578f8ab1`](https://github.com/nodejs/node/commit/4e578f8ab1)] -
**module**: fix leak of vm.SyntheticModule (Joyee Cheung)
[#48510](https://github.com/nodejs/node/pull/48510) *
\[[`69e4218772`](https://github.com/nodejs/node/commit/69e4218772)] -
**module**: use symbol in WeakMap to manage host defined options (Joyee Cheung)
[#48510](https://github.com/nodejs/node/pull/48510) *
\[[`14ece0aa76`](https://github.com/nodejs/node/commit/14ece0aa76)] - **(SEMVER-
MINOR)** **src**: allow embedders to override NODE\_MODULE\_VERSION (Cheng Zhao)
[#49279](https://github.com/nodejs/node/pull/49279) *
\[[`9fd67fbff0`](https://github.com/nodejs/node/commit/9fd67fbff0)] -
**stream**: use bitmap in writable state (Raz Luvaton)
[#49834](https://github.com/nodejs/node/pull/49834) *
\[[`0ccd4638ac`](https://github.com/nodejs/node/commit/0ccd4638ac)] -
**stream**: use bitmap in readable state (Benjamin Gruenbaum)
[#49745](https://github.com/nodejs/node/pull/49745) *
\[[`7c5e322346`](https://github.com/nodejs/node/commit/7c5e322346)] -
**stream**: improve webstream readable async iterator performance (Raz Luvaton)
[#49662](https://github.com/nodejs/node/pull/49662) *
\[[`80b342cc38`](https://github.com/nodejs/node/commit/80b342cc38)] - **(SEMVER-
MINOR)** **test\_runner**: accept `testOnly` in `run` (Moshe Atlow)
[#49753](https://github.com/nodejs/node/pull/49753) *
\[[`17a05b141d`](https://github.com/nodejs/node/commit/17a05b141d)] - **(SEMVER-
MINOR)** **test\_runner**: add junit reporter (Moshe Atlow)
[#49614](https://github.com/nodejs/node/pull/49614)
--------------------------------------------------------------------------------
ChangeLog:

* Mon Oct 16 2023 Stephen Gallagher <sgallagh(a)redhat.com&gt; - 1:20.8.1-1
- Update to 20.8.1
* Fri Sep 29 2023 Stephen Gallagher <sgallagh(a)redhat.com&gt; - 1:20.8.0-1
- Update to 20.8.0
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2023-7b52921cae' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[SECURITY] Fedora 39 Update: nodejs20-20.8.1-1.fc39