UbuntuUpdates.org

Package "nodejs"

Name: nodejs

Description:

evented I/O for V8 javascript - runtime executable

Latest version: 12.22.9~dfsg-1ubuntu3.3
Release: jammy (22.04)
Level: updates
Repository: universe
Homepage: https://nodejs.org/

Links


Download "nodejs"


Other versions of "nodejs" in Jammy

Repository Area Version
base universe 12.22.9~dfsg-1ubuntu3
security universe 12.22.9~dfsg-1ubuntu3.3
PPA: Nodejs 14.x 14.21.3-deb-1nodesource1
PPA: Node 16.x 16.20.2-deb-1nodesource1
PPA: Node 20 20.5.1-deb-1nodesource1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 12.22.9~dfsg-1ubuntu3.3 2024-01-03 12:07:50 UTC

  nodejs (12.22.9~dfsg-1ubuntu3.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Obtain Sensitive Information
    - debian/patches/CVE-2022-4304.patch: fixed a timing based side channel in
      the OpenSSL RSA Decryption implementation
    - debian/patches/CVE-2023-0286.patch: fixed a type confusion vulnerability
      in GENERAL_NAME_cmp function
    - CVE-2022-4304
    - CVE-2023-0286
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2022-4450.patch: fixed an issue that will result in a
      crash in PEM_read_bio_ex function
    - debian/patches/CVE-2023-0215.patch: fixed a use-after-free issue in
      BIO_new_NDEF function
    - debian/patches/CVE-2023-0401.patch: fixed a NULL pointer dereference in
      PKCS7
    - CVE-2022-4450
    - CVE-2023-0215
    - CVE-2023-0401

 -- Amir Naseredini <email address hidden> Tue, 12 Dec 2023 18:34:04 +0000

Source diff to previous version
CVE-2022-4304 openssl: Timing Oracle in RSA Decryption
CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName
CVE-2022-4450 openssl: Double free after calling PEM_read_bio_ex
CVE-2023-0215 openssl: Use-after-free following BIO_new_NDEF
CVE-2023-0401 openssl: NULL dereference during PKCS7 data verification

Version: 12.22.9~dfsg-1ubuntu3.2 2023-11-21 12:08:37 UTC

  nodejs (12.22.9~dfsg-1ubuntu3.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Arbitrary Code Execution
    - debian/patches/CVE-2022-32212-1.patch: fixed IPv4 validation in
      inspector_socket
    - debian/patches/CVE-2022-32212-2.patch: fixed IPv4 non routable validation
    - debian/patches/CVE-2022-32213-1.patch: add common.mustSucceed for the -2
      patch
    - debian/patches/CVE-2022-32213-2.patch: stricter Transfer-Encoding and
      header separator parsing. Also fixes CVE-2022-32214 and CVE-2022-32215
    - debian/patches/CVE-2022-32213-3.patch: disabled chunked encoding when OBS
      fold is used. Also fixes CVE-2022-35256.
    - debian/patches/CVE-2022-43548.patch: harden IP address validation again
    - CVE-2022-32212
    - CVE-2022-32213
    - CVE-2022-32214
    - CVE-2022-32215
    - CVE-2022-35256
    - CVE-2022-43548

 -- Amir Naseredini <email address hidden> Wed, 15 Nov 2023 15:29:18 +0000

Source diff to previous version
CVE-2022-32212 A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easil
CVE-2022-32213 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and
CVE-2022-32214 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. T
CVE-2022-32215 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Thi
CVE-2022-35256 The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HT
CVE-2022-43548 A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that

Version: 12.22.9~dfsg-1ubuntu3.1 2023-10-30 13:09:44 UTC

  nodejs (12.22.9~dfsg-1ubuntu3.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Remote Code Execution
    - debian/patches/CVE-2022-1292.patch: fixed a remote code execution in
      openssl in nodejs
    - debian/patches/CVE-2022-2068.patch: fixed an arbitrary code execution in
      openssl in nodejs
    - debian/patches/CVE-2022-2097.patch: fixed a memory corruption in openssl
      in nodejs
    - CVE-2022-1292
    - CVE-2022-2068
    - CVE-2022-2097
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2022-0778.patch: fixed an infinite loop in
      BN_mod_sqrt module
    - CVE-2022-0778

 -- Amir Naseredini <email address hidden> Thu, 26 Oct 2023 18:23:45 +0100

CVE-2022-1292 The c_rehash script does not properly sanitise shell metacharacters to ...
CVE-2022-2068 The c_rehash script allows command injection
CVE-2022-2097 AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimi ...
CVE-2022-0778 Infinite loop in BN_mod_sqrt() reachable when parsing certificates



About   -   Send Feedback to @ubuntu_updates