Package "nodejs"
Name: |
nodejs
|
Description: |
evented I/O for V8 javascript - runtime executable
|
Latest version: |
18.13.0+dfsg1-1ubuntu2.3 |
Release: |
mantic (23.10) |
Level: |
updates |
Repository: |
universe |
Homepage: |
https://nodejs.org/ |
Links
Download "nodejs"
Other versions of "nodejs" in Mantic
Packages in group
Deleted packages are displayed in grey.
Changelog
nodejs (18.13.0+dfsg1-1ubuntu2.3) mantic-security; urgency=medium
* SECURITY UPDATE:
- debian/patches/CVE-2023-32002.patch: fixed a policy mechanism bypass in
`Module._load` (CVE-2023-32002) and one in `constructor.createRequire`
(CVE-2023-32006)
- debian/patches/CVE-2023-32559.patch: fixed a privilege escalation in
process.binding
- CVE-2023-32002
- CVE-2023-32006
- CVE-2023-32559
-- Amir Naseredini <email address hidden> Tue, 04 Jun 2024 13:20:15 +0100
|
Source diff to previous version |
CVE-2023-32002 |
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulne |
CVE-2023-32006 |
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given |
CVE-2023-32559 |
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the de |
|
nodejs (18.13.0+dfsg1-1ubuntu2.2) mantic-security; urgency=medium
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2023-30588.patch: fixed the issue that happens by
using an invalid public key in crypto.X509Certificate()
- CVE-2023-30588
* SECURITY UPDATE: Unauthorised Access
- debian/patches/CVE-2023-30589.patch: fixed the incorrect use of CRLF
sequence to delimit HTTP requests
- CVE-2023-30589
* SECURITY UPDATE: Incorrect Documentation for Diffie-Hellman APIs
- debian/patches/CVE-2023-30590.patch: fixed the inconsistency between the
documents and the function of Diffie-Hellman APIs
- CVE-2023-30590
-- Amir Naseredini <email address hidden> Mon, 25 Mar 2024 14:43:35 +0000
|
Source diff to previous version |
CVE-2023-30588 |
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it sus |
CVE-2023-30589 |
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request |
CVE-2023-30590 |
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a pr |
|
nodejs (18.13.0+dfsg1-1ubuntu2.1) mantic-security; urgency=medium
* SECURITY UPDATE: Privilege Escalation
- debian/patches/CVE-2023-23920.patch: added `ICU_NO_USER_DATA_OVERRIDE` to
fix an issue with insecure loading of ICU data
- CVE-2023-23920
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2023-23919.patch: fixed a cryptographic vulnerability
in nodejs with invalid ca cert
- CVE-2023-23919
-- Amir Naseredini <email address hidden> Wed, 28 Feb 2024 12:41:27 +0000
|
CVE-2023-23920 |
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potent |
CVE-2023-23919 |
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack a |
|
About
-
Send Feedback to @ubuntu_updates