Fedora Linux 8637 Published by

A nodejs16 security update has been released for Fedora 37.



[SECURITY] Fedora 37 Update: nodejs16-16.20.1-1.fc37


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2023-61e40652be
2023-07-21 01:25:40.834220
--------------------------------------------------------------------------------

Name : nodejs16
Product : Fedora 37
Version : 16.20.1
Release : 1.fc37
URL : http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime \
for easily building fast, scalable network applications. \
Node.js uses an event-driven, non-blocking I/O model that \
makes it lightweight and efficient, perfect for data-intensive \
real-time applications that run across distributed devices.}

--------------------------------------------------------------------------------
Update Information:

## 2023-06-20, Version 16.20.1 'Gallium' (LTS), @RafaelGSS This is a security
release. ### Notable Changes The following CVEs are fixed in this release: *
[CVE-2023-30581]( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581):
`mainModule.__proto__` Bypass Experimental Policy Mechanism (High) *
[CVE-2023-30585]( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585):
Privilege escalation via Malicious Registry Key manipulation during Node.js
installer repair process (Medium) * [CVE-2023-30588]( https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2023-30588): Process interuption due to invalid Public
Key information in x509 certificates (Medium) *
[CVE-2023-30589]( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589):
HTTP Request Smuggling via Empty headers separated by CR (Medium) *
[CVE-2023-30590]( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590):
DiffieHellman does not generate keys after setting a private key (Medium) *
OpenSSL Security Releases * [OpenSSL security advisory 28th
March]( https://www.openssl.org/news/secadv/20230328.txt). * [OpenSSL security
advisory 20th April]( https://www.openssl.org/news/secadv/20230420.txt). *
[OpenSSL security advisory 30th
May]( https://www.openssl.org/news/secadv/20230530.txt) * c-ares vulnerabilities:
* [GHSA-9g78-jv2r-p7vc]( https://github.com/c-ares/c-
ares/security/advisories/GHSA-9g78-jv2r-p7vc) * [GHSA-8r8p-23f3-
64c2]( https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2)
* [GHSA-54xr-f67r-4pc4]( https://github.com/c-ares/c-
ares/security/advisories/GHSA-54xr-f67r-4pc4) * [GHSA-x6mf-
cxr9-8q6v]( https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-
cxr9-8q6v) More detailed information on each of the vulnerabilities can be
found in [June 2023 Security
Releases]( https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/)
blog post.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jun 21 2023 Stephen Gallagher [sgallagh@redhat.com] - 1:16.20.1-1
- Update to security release 16.20.1
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2023-61e40652be' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------