UbuntuUpdates.org

Package "nodejs"

Name: nodejs

Description:

evented I/O for V8 javascript - runtime executable

Latest version: 12.22.9~dfsg-1ubuntu3.6
Release: jammy (22.04)
Level: security
Repository: universe
Homepage: https://nodejs.org/

Links


Download "nodejs"


Other versions of "nodejs" in Jammy

Repository Area Version
base universe 12.22.9~dfsg-1ubuntu3
updates universe 12.22.9~dfsg-1ubuntu3.6
PPA: Nodejs 14.x 14.21.3-deb-1nodesource1
PPA: Node 16.x 16.20.2-deb-1nodesource1
PPA: Node 20 20.5.1-deb-1nodesource1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 12.22.9~dfsg-1ubuntu3.6 2024-06-11 10:07:25 UTC

  nodejs (12.22.9~dfsg-1ubuntu3.6) jammy-security; urgency=medium

  * SECURITY UPDATE: Bypass the Policy Mechanism
    - debian/patches/CVE-2023-32002.patch: fixed a policy mechanism bypass in
      `Module._load` (CVE-2023-32002) and one in `constructor.createRequire`
      (CVE-2023-32006)
    - debian/patches/CVE-2023-32559.patch: fixed a privilege escalation in
      process.binding
    - CVE-2023-32002
    - CVE-2023-32006
    - CVE-2023-32559

 -- Amir Naseredini <email address hidden> Fri, 07 Jun 2024 16:17:56 +0100

Source diff to previous version
CVE-2023-32002 The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulne
CVE-2023-32006 The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given
CVE-2023-32559 A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the de

Version: 12.22.9~dfsg-1ubuntu3.5 2024-04-16 14:07:33 UTC

  nodejs (12.22.9~dfsg-1ubuntu3.5) jammy-security; urgency=medium

  * SECURITY UPDATE: Incorrect Documentation for Diffie-Hellman APIs
    - debian/patches/CVE-2023-30590.patch: fixed the inconsistency between the
      documents and the function of Diffie-Hellman APIs
    - CVE-2023-30590

 -- Amir Naseredini <email address hidden> Wed, 03 Apr 2024 09:09:24 +0100

Source diff to previous version
CVE-2023-30590 The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a pr

Version: 12.22.9~dfsg-1ubuntu3.4 2024-03-04 12:06:56 UTC

  nodejs (12.22.9~dfsg-1ubuntu3.4) jammy-security; urgency=medium

  * SECURITY UPDATE: Privilege Escalation
    - debian/patches/CVE-2023-23920.patch: added `ICU_NO_USER_DATA_OVERRIDE` to
      fix an issue with insecure loading of ICU data
    - CVE-2023-23920
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2023-2650.patch: fixed an issue in openssl in nodejs
    - CVE-2023-2650

 -- Amir Naseredini <email address hidden> Wed, 21 Feb 2024 18:32:20 +0000

Source diff to previous version
CVE-2023-23920 An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potent
CVE-2023-2650 openssl Possible DoS translating ASN.1 object identifiers

Version: 12.22.9~dfsg-1ubuntu3.3 2024-01-03 11:07:35 UTC

  nodejs (12.22.9~dfsg-1ubuntu3.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Obtain Sensitive Information
    - debian/patches/CVE-2022-4304.patch: fixed a timing based side channel in
      the OpenSSL RSA Decryption implementation
    - debian/patches/CVE-2023-0286.patch: fixed a type confusion vulnerability
      in GENERAL_NAME_cmp function
    - CVE-2022-4304
    - CVE-2023-0286
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2022-4450.patch: fixed an issue that will result in a
      crash in PEM_read_bio_ex function
    - debian/patches/CVE-2023-0215.patch: fixed a use-after-free issue in
      BIO_new_NDEF function
    - debian/patches/CVE-2023-0401.patch: fixed a NULL pointer dereference in
      PKCS7
    - CVE-2022-4450
    - CVE-2023-0215
    - CVE-2023-0401

 -- Amir Naseredini <email address hidden> Tue, 12 Dec 2023 18:34:04 +0000

Source diff to previous version
CVE-2022-4304 openssl: Timing Oracle in RSA Decryption
CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName
CVE-2022-4450 openssl: Double free after calling PEM_read_bio_ex
CVE-2023-0215 openssl: Use-after-free following BIO_new_NDEF
CVE-2023-0401 openssl: NULL dereference during PKCS7 data verification

Version: 12.22.9~dfsg-1ubuntu3.2 2023-11-21 11:08:48 UTC

  nodejs (12.22.9~dfsg-1ubuntu3.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Arbitrary Code Execution
    - debian/patches/CVE-2022-32212-1.patch: fixed IPv4 validation in
      inspector_socket
    - debian/patches/CVE-2022-32212-2.patch: fixed IPv4 non routable validation
    - debian/patches/CVE-2022-32213-1.patch: add common.mustSucceed for the -2
      patch
    - debian/patches/CVE-2022-32213-2.patch: stricter Transfer-Encoding and
      header separator parsing. Also fixes CVE-2022-32214 and CVE-2022-32215
    - debian/patches/CVE-2022-32213-3.patch: disabled chunked encoding when OBS
      fold is used. Also fixes CVE-2022-35256.
    - debian/patches/CVE-2022-43548.patch: harden IP address validation again
    - CVE-2022-32212
    - CVE-2022-32213
    - CVE-2022-32214
    - CVE-2022-32215
    - CVE-2022-35256
    - CVE-2022-43548

 -- Amir Naseredini <email address hidden> Wed, 15 Nov 2023 15:29:18 +0000

CVE-2022-32212 A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easil
CVE-2022-32213 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and
CVE-2022-32214 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. T
CVE-2022-32215 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Thi
CVE-2022-35256 The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HT
CVE-2022-43548 A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that



About   -   Send Feedback to @ubuntu_updates