895544 – (CVE-2023-23918, CVE-2023-23919, CVE-2023-23920) <net-libs/nodejs-{14.21.3,16.19.1,18.14.2}: multiple vulnerabilities

Bug 895544 (CVE-2023-23918, CVE-2023-23919, CVE-2023-23920) - <net-libs/nodejs-{14.21.3,16.19.1,18.14.2}: multiple vulnerabilities

Summary: <net-libs/nodejs-{14.21.3,16.19.1,18.14.2}: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2023-23918, CVE-2023-23919, CVE-2023-23920

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://nodejs.org/en/blog/vulnerabil...
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:	898962
Blocks:
	Show dependency tree

Reported:	2023-02-20 13:10 UTC by Thomas Stein
Modified:	2023-03-11 04:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Stein 2023-02-20 13:10:04 UTC

Hi Devs.

New security related releases have been issued.

cheers, t.

Reproducible: Always

Comment 1 John Helmert III archtester

2023-02-23 04:50:12 UTC

From the 14.21.3, 16.19.1, 18.14.1 release notes:

"* **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High)
* **[CVE-2023-23919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
* **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU\_DATA environment variable (Low)"

Please bump.

Comment 2 Larry the Git Cow gentoo-dev

2023-03-03 03:02:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2f66798f01cf1e4b2bdd88d599d57c9da3d95c5

commit d2f66798f01cf1e4b2bdd88d599d57c9da3d95c5
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2023-03-03 03:01:15 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2023-03-03 03:01:58 +0000

    net-libs/nodejs: add 14.21.3, 16.19.1, 18.14.2
    
    Bug: https://bugs.gentoo.org/895544
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   3 +
 net-libs/nodejs/nodejs-14.21.3.ebuild | 241 +++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-16.19.1.ebuild | 233 ++++++++++++++++++++++++++++++
 net-libs/nodejs/nodejs-18.14.2.ebuild | 258 ++++++++++++++++++++++++++++++++++
 4 files changed, 735 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2023-03-05 20:58:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48eaf5c117d7deca7847f781907a196ea180250f

commit 48eaf5c117d7deca7847f781907a196ea180250f
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2023-03-05 20:52:26 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2023-03-05 20:53:36 +0000

    net-libs/nodejs: drop 14.21.1, 16.18.1, 18.12.1
    
    Bug: https://bugs.gentoo.org/895544
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   3 -
 net-libs/nodejs/nodejs-14.21.1.ebuild | 241 --------------------------------
 net-libs/nodejs/nodejs-16.18.1.ebuild | 233 -------------------------------
 net-libs/nodejs/nodejs-18.12.1.ebuild | 251 ----------------------------------
 4 files changed, 728 deletions(-)