Package "nodejs"
| Name: |
nodejs
|
Description: |
evented I/O for V8 javascript - runtime executable
|
| Latest version: |
12.22.9~dfsg-1ubuntu3.6 |
| Release: |
jammy (22.04) |
| Level: |
security |
| Repository: |
universe |
| Homepage: |
https://nodejs.org/ |
Links
Download "nodejs"
Other versions of "nodejs" in Jammy
Packages in group
Deleted packages are displayed in grey.
Changelog
|
nodejs (12.22.9~dfsg-1ubuntu3.6) jammy-security; urgency=medium
* SECURITY UPDATE: Bypass the Policy Mechanism
- debian/patches/CVE-2023-32002.patch: fixed a policy mechanism bypass in
`Module._load` (CVE-2023-32002) and one in `constructor.createRequire`
(CVE-2023-32006)
- debian/patches/CVE-2023-32559.patch: fixed a privilege escalation in
process.binding
- CVE-2023-32002
- CVE-2023-32006
- CVE-2023-32559
-- Amir Naseredini <email address hidden> Fri, 07 Jun 2024 16:17:56 +0100
|
| Source diff to previous version |
| CVE-2023-32002 |
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulne |
| CVE-2023-32006 |
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given |
| CVE-2023-32559 |
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the de |
|
|
nodejs (12.22.9~dfsg-1ubuntu3.5) jammy-security; urgency=medium
* SECURITY UPDATE: Incorrect Documentation for Diffie-Hellman APIs
- debian/patches/CVE-2023-30590.patch: fixed the inconsistency between the
documents and the function of Diffie-Hellman APIs
- CVE-2023-30590
-- Amir Naseredini <email address hidden> Wed, 03 Apr 2024 09:09:24 +0100
|
| Source diff to previous version |
| CVE-2023-30590 |
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a pr |
|
|
nodejs (12.22.9~dfsg-1ubuntu3.4) jammy-security; urgency=medium
* SECURITY UPDATE: Privilege Escalation
- debian/patches/CVE-2023-23920.patch: added `ICU_NO_USER_DATA_OVERRIDE` to
fix an issue with insecure loading of ICU data
- CVE-2023-23920
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2023-2650.patch: fixed an issue in openssl in nodejs
- CVE-2023-2650
-- Amir Naseredini <email address hidden> Wed, 21 Feb 2024 18:32:20 +0000
|
| Source diff to previous version |
| CVE-2023-23920 |
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potent |
| CVE-2023-2650 |
openssl Possible DoS translating ASN.1 object identifiers |
|
|
nodejs (12.22.9~dfsg-1ubuntu3.3) jammy-security; urgency=medium
* SECURITY UPDATE: Obtain Sensitive Information
- debian/patches/CVE-2022-4304.patch: fixed a timing based side channel in
the OpenSSL RSA Decryption implementation
- debian/patches/CVE-2023-0286.patch: fixed a type confusion vulnerability
in GENERAL_NAME_cmp function
- CVE-2022-4304
- CVE-2023-0286
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2022-4450.patch: fixed an issue that will result in a
crash in PEM_read_bio_ex function
- debian/patches/CVE-2023-0215.patch: fixed a use-after-free issue in
BIO_new_NDEF function
- debian/patches/CVE-2023-0401.patch: fixed a NULL pointer dereference in
PKCS7
- CVE-2022-4450
- CVE-2023-0215
- CVE-2023-0401
-- Amir Naseredini <email address hidden> Tue, 12 Dec 2023 18:34:04 +0000
|
| Source diff to previous version |
|
|
|
nodejs (12.22.9~dfsg-1ubuntu3.2) jammy-security; urgency=medium
* SECURITY UPDATE: Arbitrary Code Execution
- debian/patches/CVE-2022-32212-1.patch: fixed IPv4 validation in
inspector_socket
- debian/patches/CVE-2022-32212-2.patch: fixed IPv4 non routable validation
- debian/patches/CVE-2022-32213-1.patch: add common.mustSucceed for the -2
patch
- debian/patches/CVE-2022-32213-2.patch: stricter Transfer-Encoding and
header separator parsing. Also fixes CVE-2022-32214 and CVE-2022-32215
- debian/patches/CVE-2022-32213-3.patch: disabled chunked encoding when OBS
fold is used. Also fixes CVE-2022-35256.
- debian/patches/CVE-2022-43548.patch: harden IP address validation again
- CVE-2022-32212
- CVE-2022-32213
- CVE-2022-32214
- CVE-2022-32215
- CVE-2022-35256
- CVE-2022-43548
-- Amir Naseredini <email address hidden> Wed, 15 Nov 2023 15:29:18 +0000
|
| CVE-2022-32212 |
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easil |
| CVE-2022-32213 |
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and |
| CVE-2022-32214 |
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. T |
| CVE-2022-32215 |
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Thi |
| CVE-2022-35256 |
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HT |
| CVE-2022-43548 |
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that |
|
About
-
Send Feedback to @ubuntu_updates
