Hello Devs. Nodejs needs some version bumps. cheers, t. Reproducible: Always
Thanks! It seems like the first two CVEs have been handled in bug 777681 in the default configuration of nodejs due to system-ssl, and I'm not sure what the impact of the third CVE the vulnerability is in an npm module.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e708b88a117f819f607b3c48a463532fd5f5837 commit 6e708b88a117f819f607b3c48a463532fd5f5837 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-04-16 15:52:39 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-04-16 18:24:25 +0000 net-libs/nodejs: bump v14 to 14.16.1 Addresses CVE-2021-3450, CVE-2021-3449 and CVE-2020-7774. Bug: https://bugs.gentoo.org/781704 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-14.16.1.ebuild | 209 ++++++++++++++++++++++++++++++++++ 2 files changed, 210 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e41eaca605e84e0f641f09f1f5c4ac1826e1e28 commit 5e41eaca605e84e0f641f09f1f5c4ac1826e1e28 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-04-16 15:51:36 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-04-16 18:24:21 +0000 net-libs/nodejs: bump v12 to 12.22.1 Addresses CVE-2021-3450, CVE-2021-3449 and CVE-2020-7774. Bug: https://bugs.gentoo.org/781704 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-12.22.1.ebuild | 220 ++++++++++++++++++++++++++++++++++ 2 files changed, 221 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01262550fb3abf1b3b37892dc39b376bd73ec906 commit 01262550fb3abf1b3b37892dc39b376bd73ec906 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-04-16 20:36:36 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-04-16 20:40:01 +0000 net-libs/nodejs: bump v15 to 15.14.0 Addresses CVE-2021-3450, CVE-2021-3449 and CVE-2020-7774. Bug: https://bugs.gentoo.org/781704 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 2 +- net-libs/nodejs/{nodejs-15.11.0.ebuild => nodejs-15.14.0.ebuild} | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
amd64 done
arm64 done
ppc64 done
arm done
x86 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00c00335eeca35c91062475642d308e222dab330 commit 00c00335eeca35c91062475642d308e222dab330 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-04-22 11:45:21 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-04-22 11:50:15 +0000 net-libs/nodejs: remove old No versions vulnerable to CVE-2021-3450, CVE-2021-3449 and CVE-2020-7774 left in the tree. Bug: https://bugs.gentoo.org/781704 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 2 - net-libs/nodejs/nodejs-12.21.0.ebuild | 220 ---------------------------------- net-libs/nodejs/nodejs-14.16.0.ebuild | 209 -------------------------------- 3 files changed, 431 deletions(-)
Thanks!
GLSA request filed.
Resetting sanity check; package list is empty or all packages are done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=88bffd0cf8491b108b57ac229b72f8b472c31ed1 commit 88bffd0cf8491b108b57ac229b72f8b472c31ed1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-08 11:16:15 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-08 11:16:37 +0000 [ GLSA 202405-29 ] Node.js: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/772422 Bug: https://bugs.gentoo.org/781704 Bug: https://bugs.gentoo.org/800986 Bug: https://bugs.gentoo.org/805053 Bug: https://bugs.gentoo.org/807775 Bug: https://bugs.gentoo.org/811273 Bug: https://bugs.gentoo.org/817938 Bug: https://bugs.gentoo.org/831037 Bug: https://bugs.gentoo.org/835615 Bug: https://bugs.gentoo.org/857111 Bug: https://bugs.gentoo.org/865627 Bug: https://bugs.gentoo.org/872692 Bug: https://bugs.gentoo.org/879617 Bug: https://bugs.gentoo.org/918086 Bug: https://bugs.gentoo.org/918614 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-29.xml | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+)
