[SECURITY] Fedora 39 Update: nodejs20-20.12.2-1.fc39

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-e28ccc9c17 2024-04-20 01:02:39.395996 -------------------------------------------------------------------------------- Name : nodejs20 Product : Fedora 39 Version : 20.12.2 Release : 1.fc39 URL : http://nodejs.org/ Summary : JavaScript runtime Description : Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.} -------------------------------------------------------------------------------- Update Information: 2024-04-03, Version 20.12.1 'Iron' (LTS), @RafaelGSS This is a security release Notable Changes CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High) CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium) llhttp version 9.2.1 undici version 5.28.4 Commits [bd8f10a257] - deps: update undici to v5.28.4 (Matteo Collina) nodejs- private/node-private#576 [5e34540a96] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#557 [ba1ae6d188] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561 2024-04-03, Version 20.12.1 'Iron' (LTS), @RafaelGSS This is a security release Notable Changes CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High) CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium) llhttp version 9.2.1 undici version 5.28.4 -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 10 2024 Stephen Gallagher <sgallagh(a)redhat.com&gt; - 1:20.12.2-1 - Update to 20.12.2 * Fri Apr 5 2024 Stephen Gallagher <sgallagh(a)redhat.com&gt; - 1:20.12.1-3 - simdutf: cpu feature detection fixes * Fri Apr 5 2024 Jan Stan��k <jstanek(a)redhat.com&gt; - 1:20.12.1-2 - Remove static analysis from required gating tests * Wed Apr 3 2024 Stephen Gallagher <sgallagh(a)redhat.com&gt; - 1:20.12.1-1 - Update to 20.12.1 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2272764 - CVE-2024-27983 nodejs: CONTINUATION frames DoS https://bugzilla.redhat.com/show_bug.cgi?id=2272764 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-e28ccc9c17' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------