-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-973319d5b7 2023-04-04 18:13:26.504631 --------------------------------------------------------------------------------
Name : nodejs16 Product : Fedora 38 Version : 16.20.0 Release : 2.fc38 URL : http://nodejs.org/ Summary : JavaScript runtime Description : Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.}
-------------------------------------------------------------------------------- Update Information:
Fixes for virtual Provides/Requires of `nodejs` and `nodejs-devel` ---- Assorted fixes for v8-devel ---- Update to 19.8.1 Fix confilct with nodejs18 ---- ## 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau This is a security release. ### Notable Changes The following CVEs are fixed in this release: * **[CVE-2023-23918](https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High) * **[CVE-2023-23919](https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in nodejs crypto library (Medium) * **[CVE-2023-23920](https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low) Fixed by an update to undici: * **[CVE-2023-23936](https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2023-23936)**: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium) * See https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff for more information. * **[CVE-2023-24807](https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2023-24807)**: Regular Expression Denial of Service in Headers in Node.js fetch API (Low) * See https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w for more information. More detailed information on each of the vulnerabilities can be found in [February 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security- releases/) blog post. This security release includes OpenSSL security updates as outlined in the recent [OpenSSL security advisory](https://www.openssl.org/news/secadv/20230207.txt). ### Commits * [[`7fef050447`](https://github.com/nodejs/node/commit/7fef050447)] - **build**: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) [nodejs-private/node- private#374](https://github.com/nodejs-private/node-private/pull/374) * [[`b558e9f476`](https://github.com/nodejs/node/commit/b558e9f476)] - **crypto**: clear OpenSSL error on invalid ca cert (RafaelGSS) [nodejs- private/node-private#375](https://github.com/nodejs-private/node- private/pull/375) * [[`160adb7ffc`](https://github.com/nodejs/node/commit/160adb7ffc)] - **crypto**: clear OpenSSL error queue after calling X509_check_private_key() (Filip Skokan) [#45495](https://github.com/nodejs/node/pull/45495) * [[`d0ece30948`](https://github.com/nodejs/node/commit/d0ece30948)] - **crypto**: clear OpenSSL error queue after calling X509_verify() (Takuro Sato) [#45377](https://github.com/nodejs/node/pull/45377) * [[`2d9ae4f184`](https://github.com/nodejs/node/commit/2d9ae4f184)] - **deps**: update undici to v5.19.1 (Matteo Collina) [nodejs-private/node- private#388](https://github.com/nodejs-private/node-private/pull/388) * [[`d80e8312fd`](https://github.com/nodejs/node/commit/d80e8312fd)] - **deps**: cherry-pick Windows ARM64 fix for openssl (Richard Lau) [#46568](https://github.com/nodejs/node/pull/46568) * [[`de5c8d2c2f`](https://github.com/nodejs/node/commit/de5c8d2c2f)] - **deps**: update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS) [#46568](https://github.com/nodejs/node/pull/46568) * [[`1a8ccfe908`](https://github.com/nodejs/node/commit/1a8ccfe908)] - **deps**: upgrade openssl sources to OpenSSL_1_1_1t+quic (RafaelGSS) [#46568](https://github.com/nodejs/node/pull/46568) * [[`693789780b`](https://github.com/nodejs/node/commit/693789780b)] - **doc**: clarify release notes for Node.js 16.19.0 (Richard Lau) [#45846](https://github.com/nodejs/node/pull/45846) * [[`f95ef064f4`](https://github.com/nodejs/node/commit/f95ef064f4)] - **lib**: makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs- private/node-private#358](https://github.com/nodejs-private/node- private/pull/358) * [[`b02d895137`](https://github.com/nodejs/node/commit/b02d895137)] - **policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs- private/node-private#358](https://github.com/nodejs-private/node- private/pull/358) * [[`d7f83c420c`](https://github.com/nodejs/node/commit/d7f83c420c)] - **test**: avoid left behind child processes (Richard Lau) [#46276](https://github.com/nodejs/node/pull/46276) -------------------------------------------------------------------------------- ChangeLog:
* Mon Apr 3 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.20.0-2 - Adjust nodejs-devel Provides * Thu Mar 30 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.20.0-1 - Update to 16.20.0 * Mon Mar 27 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.19.1-7 - Fix build issue on non-default releases * Mon Mar 27 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.19.1-6 - Fix libv8 packaging issue * Thu Mar 16 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.19.1-5 - Namespace the v8 compatibility libraries * Wed Mar 1 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.19.1-4 - sources: re-sync to nodejs20 * Thu Feb 23 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.19.1-3 - Fix an incompatibility with GCC 13+ - The Makefile patch is also no longer needed since we switched to ninja. * Tue Feb 21 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.19.1-2 - Update to latest nodejs-sources.sh * Fri Feb 17 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.19.1-1 - Update to 16.19.1 - https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md# 16.19.1 - packaging: Drop vestigial package.cfg file. - packaging: Make nodejs-sources.sh clean up after itself * Mon Jan 23 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.19.0-5 - Upload sources correctly * Mon Jan 23 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.19.0-4 - Rework nodejs-sources.sh * Mon Jan 23 2023 Stephen Gallagher sgallagh@redhat.com - 1:16.19.0-3 - Fix v8 symlinks * Thu Jan 19 2023 Fedora Release Engineering releng@fedoraproject.org - 1:16.19.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-973319d5b7' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------