Fedora Linux 8643 Published by

A nodejs18 security update has been released for Fedora 37.

[SECURITY] Fedora 37 Update: nodejs18-18.16.1-1.fc37

Fedora Update Notification
2023-07-19 04:20:09.560021

Name : nodejs18
Product : Fedora 37
Version : 18.16.1
Release : 1.fc37
URL : http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime \
for easily building fast, scalable network applications. \
Node.js uses an event-driven, non-blocking I/O model that \
makes it lightweight and efficient, perfect for data-intensive \
real-time applications that run across distributed devices.}

Update Information:

## 2023-06-20, Version 18.16.1 'Hydrogen' (LTS), @RafaelGSS This is a security
release. ### Notable Changes The following CVEs are fixed in this release: *
[CVE-2023-30581]( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581):
`mainModule.__proto__` Bypass Experimental Policy Mechanism (High) *
[CVE-2023-30585]( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585):
Privilege escalation via Malicious Registry Key manipulation during Node.js
installer repair process (Medium) * [CVE-2023-30588]( https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2023-30588): Process interuption due to invalid Public
Key information in x509 certificates (Medium) *
[CVE-2023-30589]( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589):
HTTP Request Smuggling via Empty headers separated by CR (Medium) *
[CVE-2023-30590]( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590):
DiffieHellman does not generate keys after setting a private key (Medium) *
OpenSSL Security Releases * [OpenSSL security advisory 28th
March]( https://www.openssl.org/news/secadv/20230328.txt). * [OpenSSL security
advisory 20th April]( https://www.openssl.org/news/secadv/20230420.txt). *
[OpenSSL security advisory 30th
May]( https://www.openssl.org/news/secadv/20230530.txt) * c-ares vulnerabilities:
* [GHSA-9g78-jv2r-p7vc]( https://github.com/c-ares/c-
ares/security/advisories/GHSA-9g78-jv2r-p7vc) * [GHSA-8r8p-23f3-
64c2]( https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2)
* [GHSA-54xr-f67r-4pc4]( https://github.com/c-ares/c-
ares/security/advisories/GHSA-54xr-f67r-4pc4) * [GHSA-x6mf-
cxr9-8q6v]( https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-
cxr9-8q6v) More detailed information on each of the vulnerabilities can be
found in [June 2023 Security
Releases]( https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/)
blog post.

* Wed Jun 21 2023 Stephen Gallagher [sgallagh@redhat.com] - 1:18.16.1-1
- Update to security release 18.16.1
* Wed Jun 21 2023 Stephen Gallagher [sgallagh@redhat.com] - 1:18.16.0-10
- sources: install jinja2 if needed
* Mon May 15 2023 Stephen Gallagher [sgallagh@redhat.com] - 1:18.16.0-9
- Fix NPM Obsoletes

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2023-6b866fbe84' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at