UbuntuUpdates.org

Package "nodejs"

Name: nodejs

Description:

evented I/O for V8 javascript - runtime executable
Latest version: 18.13.0+dfsg1-1ubuntu2.2
Release: mantic (23.10)
Level: updates
Repository: universe
Homepage: https://nodejs.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "nodejs"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "nodejs" in Mantic

Repository Area Version
base universe 18.13.0+dfsg1-1ubuntu2
security universe 18.13.0+dfsg1-1ubuntu2.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 18.13.0+dfsg1-1ubuntu2.2 2024-04-16 15:07:02 UTC

  nodejs (18.13.0+dfsg1-1ubuntu2.2) mantic-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2023-30588.patch: fixed the issue that happens by
      using an invalid public key in crypto.X509Certificate()
    - CVE-2023-30588
  * SECURITY UPDATE: Unauthorised Access
    - debian/patches/CVE-2023-30589.patch: fixed the incorrect use of CRLF
      sequence to delimit HTTP requests
    - CVE-2023-30589
  * SECURITY UPDATE: Incorrect Documentation for Diffie-Hellman APIs
    - debian/patches/CVE-2023-30590.patch: fixed the inconsistency between the
      documents and the function of Diffie-Hellman APIs
    - CVE-2023-30590

 -- Amir Naseredini <email address hidden> Mon, 25 Mar 2024 14:43:35 +0000
Source diff to previous version
CVE-2023-30588 When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it sus
CVE-2023-30589 The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request
CVE-2023-30590 The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a pr

Version: 18.13.0+dfsg1-1ubuntu2.1 2024-03-04 14:07:13 UTC

  nodejs (18.13.0+dfsg1-1ubuntu2.1) mantic-security; urgency=medium

  * SECURITY UPDATE: Privilege Escalation
    - debian/patches/CVE-2023-23920.patch: added `ICU_NO_USER_DATA_OVERRIDE` to
      fix an issue with insecure loading of ICU data
    - CVE-2023-23920
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2023-23919.patch: fixed a cryptographic vulnerability
      in nodejs with invalid ca cert
    - CVE-2023-23919

 -- Amir Naseredini <email address hidden> Wed, 28 Feb 2024 12:41:27 +0000
CVE-2023-23920 An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potent
CVE-2023-23919 A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack a


About   -   Send Feedback to @ubuntu_updates