Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 895544 (CVE-2023-23918, CVE-2023-23919, CVE-2023-23920)

Summary: <net-libs/nodejs-{14.21.3,16.19.1,18.14.2}: multiple vulnerabilities
Product: Gentoo Linux Reporter: Thomas Stein <himbeere>
Component: Current packagesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: jstein, williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 898962    
Bug Blocks:    

Description Thomas Stein 2023-02-20 13:10:04 UTC 
Hi Devs.

New security related releases have been issued.

cheers, t.

Reproducible: Always
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-23 04:50:12 UTC 
From the 14.21.3, 16.19.1, 18.14.1 release notes:

"* **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High)
* **[CVE-2023-23919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
* **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU\_DATA environment variable (Low)"

Please bump.
Comment 2 Larry the Git Cow gentoo-dev 2023-03-03 03:02:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2f66798f01cf1e4b2bdd88d599d57c9da3d95c5

commit d2f66798f01cf1e4b2bdd88d599d57c9da3d95c5
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2023-03-03 03:01:15 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2023-03-03 03:01:58 +0000

    net-libs/nodejs: add 14.21.3, 16.19.1, 18.14.2
    
    Bug: https://bugs.gentoo.org/895544
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   3 +
 net-libs/nodejs/nodejs-14.21.3.ebuild | 241 +++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-16.19.1.ebuild | 233 ++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-18.14.2.ebuild | 258 ++++++++++++++++++++++++++++++++++
 4 files changed, 735 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2023-03-05 20:58:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48eaf5c117d7deca7847f781907a196ea180250f

commit 48eaf5c117d7deca7847f781907a196ea180250f
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2023-03-05 20:52:26 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2023-03-05 20:53:36 +0000

    net-libs/nodejs: drop 14.21.1, 16.18.1, 18.12.1
    
    Bug: https://bugs.gentoo.org/895544
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   3 -
 net-libs/nodejs/nodejs-14.21.1.ebuild | 241 --------------------------------
 net-libs/nodejs/nodejs-16.18.1.ebuild | 233 -------------------------------
 net-libs/nodejs/nodejs-18.12.1.ebuild | 251 ----------------------------------
 4 files changed, 728 deletions(-)