UbuntuUpdates.org

Package "nodejs"

Name: nodejs

Description:

evented I/O for V8 javascript - runtime executable
Latest version: 10.19.0~dfsg-3ubuntu1.6
Release: focal (20.04)
Level: updates
Repository: universe
Homepage: http://nodejs.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "nodejs"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "nodejs" in Focal

Repository Area Version
base universe 10.19.0~dfsg-3ubuntu1
security universe 10.19.0~dfsg-3ubuntu1.6
PPA: Nodejs 13.x 13.14.0-deb-1nodesource1
PPA: Nodejs 10.x 10.24.1-deb-1nodesource1
PPA: Nodejs 15.x 15.14.0-deb-1nodesource1
PPA: Node 17.x 17.9.0-deb-1nodesource1
PPA: Nodejs 12.x 12.22.12-deb-1nodesource1
PPA: Nodejs 14.x 14.21.3-deb-1nodesource1
PPA: Node 16.x 16.20.2-deb-1nodesource1
PPA: Node 20 20.5.1-deb-1nodesource1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 10.19.0~dfsg-3ubuntu1.6 2024-04-16 15:06:58 UTC

  nodejs (10.19.0~dfsg-3ubuntu1.6) focal-security; urgency=medium

  * SECURITY UPDATE: Incorrect Documentation for Diffie-Hellman APIs
    - debian/patches/CVE-2023-30590.patch: fixed the inconsistency between the
      documents and the function of Diffie-Hellman APIs
    - CVE-2023-30590

 -- Amir Naseredini <email address hidden> Wed, 03 Apr 2024 09:09:55 +0100
Source diff to previous version
CVE-2023-30590 The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a pr

Version: 10.19.0~dfsg-3ubuntu1.5 2024-03-04 14:07:09 UTC

  nodejs (10.19.0~dfsg-3ubuntu1.5) focal-security; urgency=medium

  * SECURITY UPDATE: Privilege Escalation
    - debian/patches/CVE-2023-23920.patch: added `ICU_NO_USER_DATA_OVERRIDE` to
      fix an issue with insecure loading of ICU data
    - CVE-2023-23920
  * debian/patches/fix-dns-tests.patch: first part of fix of two dns tests
  * debian/patches/fix-test-net-dns-error.patch: fixed the issue in the test
  * debian/patches/fix-test-http-dns-error.patch: fixed the issue in the test

 -- Amir Naseredini <email address hidden> Mon, 19 Feb 2024 16:37:59 +0000
Source diff to previous version
CVE-2023-23920 An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potent

Version: 10.19.0~dfsg-3ubuntu1.3 2023-11-21 12:08:36 UTC

  nodejs (10.19.0~dfsg-3ubuntu1.3) focal-security; urgency=medium

  * SECURITY UPDATE: Arbitrary Code Execution
    - debian/patches/CVE-2022-32212-1.patch: fixed IPv4 validation in
      inspector_socket
    - debian/patches/CVE-2022-32212-2.patch: fixed IPv4 non routable validation
    - debian/patches/CVE-2022-43548.patch: harden IP address validation again
    - CVE-2022-32212
    - CVE-2022-43548

 -- Amir Naseredini <email address hidden> Fri, 17 Nov 2023 11:11:22 +0000
Source diff to previous version
CVE-2022-32212 A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easil
CVE-2022-43548 A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that

Version: 10.19.0~dfsg-3ubuntu1.2 2023-10-05 11:11:30 UTC

  nodejs (10.19.0~dfsg-3ubuntu1.2) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2021-22883.patch: fixed a memory exhaustion in http2
      module
    - CVE-2021-22883
  * SECURITY UPDATE: Remote Code Execution
    - debian/patches/CVE-2021-22884.patch: fixed a DNS rebinding in nodejs
    - CVE-2021-22884

 -- Amir Naseredini <email address hidden> Fri, 29 Sep 2023 13:26:08 +0100
Source diff to previous version
CVE-2021-22883 Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownP
CVE-2021-22884 Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6

Version: 10.19.0~dfsg-3ubuntu1.1 2023-09-19 10:08:34 UTC

  nodejs (10.19.0~dfsg-3ubuntu1.1) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2020-8174.patch: fixed a buffer overflows in nodejs
    - debian/patches/CVE-2020-8265.patch: fixed a use-after-free in TLSWrap
    - debian/patches/CVE-2020-8287.patch: fixed an HTTP Request Smuggling
      issue in Transfer-Encoding
    - CVE-2020-8174
    - CVE-2020-8265
    - CVE-2020-8287
  * debian/patches/test_update_test-tls-passphrase.patch: fixed the error with
    tls-passphrase test

 -- Amir Naseredini <email address hidden> Thu, 07 Sep 2023 12:20:44 +0100
CVE-2020-8174 napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
CVE-2020-8265 Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS ena
CVE-2020-8287 Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding h


About   -   Send Feedback to @ubuntu_updates