Package "nodejs"
| Name: |
nodejs
|
Description: |
evented I/O for V8 javascript - runtime executable
|
| Latest version: |
12.22.9~dfsg-1ubuntu3.5 |
| Release: |
jammy (22.04) |
| Level: |
security |
| Repository: |
universe |
| Homepage: |
https://nodejs.org/ |
Links
Download "nodejs"
Other versions of "nodejs" in Jammy
Packages in group
Deleted packages are displayed in grey.
Changelog
|
nodejs (12.22.9~dfsg-1ubuntu3.5) jammy-security; urgency=medium
* SECURITY UPDATE: Incorrect Documentation for Diffie-Hellman APIs
- debian/patches/CVE-2023-30590.patch: fixed the inconsistency between the
documents and the function of Diffie-Hellman APIs
- CVE-2023-30590
-- Amir Naseredini <email address hidden> Wed, 03 Apr 2024 09:09:24 +0100
|
| Source diff to previous version |
| CVE-2023-30590 |
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a pr |
|
|
nodejs (12.22.9~dfsg-1ubuntu3.4) jammy-security; urgency=medium
* SECURITY UPDATE: Privilege Escalation
- debian/patches/CVE-2023-23920.patch: added `ICU_NO_USER_DATA_OVERRIDE` to
fix an issue with insecure loading of ICU data
- CVE-2023-23920
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2023-2650.patch: fixed an issue in openssl in nodejs
- CVE-2023-2650
-- Amir Naseredini <email address hidden> Wed, 21 Feb 2024 18:32:20 +0000
|
| Source diff to previous version |
| CVE-2023-23920 |
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potent |
| CVE-2023-2650 |
openssl Possible DoS translating ASN.1 object identifiers |
|
|
nodejs (12.22.9~dfsg-1ubuntu3.3) jammy-security; urgency=medium
* SECURITY UPDATE: Obtain Sensitive Information
- debian/patches/CVE-2022-4304.patch: fixed a timing based side channel in
the OpenSSL RSA Decryption implementation
- debian/patches/CVE-2023-0286.patch: fixed a type confusion vulnerability
in GENERAL_NAME_cmp function
- CVE-2022-4304
- CVE-2023-0286
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2022-4450.patch: fixed an issue that will result in a
crash in PEM_read_bio_ex function
- debian/patches/CVE-2023-0215.patch: fixed a use-after-free issue in
BIO_new_NDEF function
- debian/patches/CVE-2023-0401.patch: fixed a NULL pointer dereference in
PKCS7
- CVE-2022-4450
- CVE-2023-0215
- CVE-2023-0401
-- Amir Naseredini <email address hidden> Tue, 12 Dec 2023 18:34:04 +0000
|
| Source diff to previous version |
|
|
|
nodejs (12.22.9~dfsg-1ubuntu3.2) jammy-security; urgency=medium
* SECURITY UPDATE: Arbitrary Code Execution
- debian/patches/CVE-2022-32212-1.patch: fixed IPv4 validation in
inspector_socket
- debian/patches/CVE-2022-32212-2.patch: fixed IPv4 non routable validation
- debian/patches/CVE-2022-32213-1.patch: add common.mustSucceed for the -2
patch
- debian/patches/CVE-2022-32213-2.patch: stricter Transfer-Encoding and
header separator parsing. Also fixes CVE-2022-32214 and CVE-2022-32215
- debian/patches/CVE-2022-32213-3.patch: disabled chunked encoding when OBS
fold is used. Also fixes CVE-2022-35256.
- debian/patches/CVE-2022-43548.patch: harden IP address validation again
- CVE-2022-32212
- CVE-2022-32213
- CVE-2022-32214
- CVE-2022-32215
- CVE-2022-35256
- CVE-2022-43548
-- Amir Naseredini <email address hidden> Wed, 15 Nov 2023 15:29:18 +0000
|
| Source diff to previous version |
| CVE-2022-32212 |
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easil |
| CVE-2022-32213 |
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and |
| CVE-2022-32214 |
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. T |
| CVE-2022-32215 |
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Thi |
| CVE-2022-35256 |
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HT |
| CVE-2022-43548 |
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that |
|
|
nodejs (12.22.9~dfsg-1ubuntu3.1) jammy-security; urgency=medium
* SECURITY UPDATE: Remote Code Execution
- debian/patches/CVE-2022-1292.patch: fixed a remote code execution in
openssl in nodejs
- debian/patches/CVE-2022-2068.patch: fixed an arbitrary code execution in
openssl in nodejs
- debian/patches/CVE-2022-2097.patch: fixed a memory corruption in openssl
in nodejs
- CVE-2022-1292
- CVE-2022-2068
- CVE-2022-2097
* SECURITY UPDATE: Denial of Service
- debian/patches/CVE-2022-0778.patch: fixed an infinite loop in
BN_mod_sqrt module
- CVE-2022-0778
-- Amir Naseredini <email address hidden> Thu, 26 Oct 2023 18:23:45 +0100
|
| CVE-2022-1292 |
The c_rehash script does not properly sanitise shell metacharacters to ... |
| CVE-2022-2068 |
The c_rehash script allows command injection |
| CVE-2022-2097 |
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimi ... |
| CVE-2022-0778 |
Infinite loop in BN_mod_sqrt() reachable when parsing certificates |
|
About
-
Send Feedback to @ubuntu_updates
