Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 763588 (CVE-2020-8265, CVE-2020-8287) - <net-libs/nodejs-{12.20.1,14.15.4,15.5.1}: Multiple vulnerabilities (CVE-2020-8265, CVE-2020-8287, CVE-2020-1971)
Summary: <net-libs/nodejs-{12.20.1,14.15.4,15.5.1}: Multiple vulnerabilities (CVE-2020...
Status: RESOLVED FIXED
Alias: CVE-2020-8265, CVE-2020-8287
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-04 21:33 UTC by Marek Szuba
Modified: 2021-01-11 09:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: No


Attachments
build.log.xz (12.20.1, ppc64) (nodejs-12.20.1:20210108-095301.log.xz,19.71 KB, application/x-xz)
2021-01-08 15:02 UTC, ernsteiswuerfel
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marek Szuba gentoo-dev 2021-01-04 21:33:47 UTC
See https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ . The new versions are already in the tree.
Comment 1 Marek Szuba gentoo-dev 2021-01-04 21:36:27 UTC
BTW. CVE-2020-1971 is technically an OpenSSL vulnerability, thus only affecting USE=-system-ssl installations of nodejs.
Comment 2 John Helmert III gentoo-dev Security 2021-01-04 21:40:36 UTC
Thank you!
Comment 3 Marek Szuba gentoo-dev 2021-01-04 22:01:01 UTC
My bad, v15 is not a LTS branch so we do not want to stabilise 15.5.1.
Comment 4 Andreas Sturmlechner gentoo-dev 2021-01-04 22:29:25 UTC
Do these versions play well with ICU-68 at runtime?
Comment 5 Sam James archtester gentoo-dev Security 2021-01-06 03:10:18 UTC
x86 done
Comment 6 Sam James archtester gentoo-dev Security 2021-01-06 06:37:02 UTC
arm done
Comment 7 Sam James archtester gentoo-dev Security 2021-01-07 01:10:23 UTC
arm64 done
Comment 8 Sam James archtester gentoo-dev Security 2021-01-07 10:05:19 UTC
amd64 done
Comment 9 ernsteiswuerfel 2021-01-08 15:02:18 UTC
Created attachment 681943 [details]
build.log.xz (12.20.1, ppc64)

12.20.1 fails to build at all on ppc64.
14.15.4 is doing fine on ppc64. 

 # cat nodejs-763588.report 
USE tests started on Fr 8. Jan 11:20:29 CET 2021

 FEATURES=' test' failed for =net-libs/nodejs-12.20.1
USE='doc icu -inspector -npm -snapshot ssl -system-ssl -systemtap' failed for =net-libs/nodejs-12.20.1
USE='-doc -icu -inspector npm snapshot ssl -system-ssl -systemtap' failed for =net-libs/nodejs-12.20.1
USE='doc icu -inspector npm -snapshot ssl system-ssl -systemtap' failed for =net-libs/nodejs-12.20.1
USE='-doc icu -inspector -npm snapshot ssl system-ssl -systemtap' failed for =net-libs/nodejs-12.20.1
USE='-doc icu inspector -npm -snapshot ssl system-ssl -systemtap' failed for =net-libs/nodejs-12.20.1
USE='doc icu -inspector -npm snapshot ssl -system-ssl systemtap' failed for =net-libs/nodejs-12.20.1
USE='doc -icu -inspector -npm -snapshot ssl system-ssl systemtap' failed for =net-libs/nodejs-12.20.1
USE='doc -icu -inspector -npm snapshot ssl system-ssl systemtap' failed for =net-libs/nodejs-12.20.1
USE='-doc -icu -inspector -npm -snapshot ssl system-ssl systemtap' failed for =net-libs/nodejs-12.20.1
USE='-doc icu -inspector -npm -snapshot ssl system-ssl systemtap' failed for =net-libs/nodejs-12.20.1
USE='doc icu -inspector -npm -snapshot ssl system-ssl systemtap' failed for =net-libs/nodejs-12.20.1
USE='doc icu inspector npm snapshot ssl system-ssl systemtap' failed for =net-libs/nodejs-12.20.1

FEATURES=' test' USE='' succeeded for =net-libs/nodejs-14.15.4
USE='-doc icu -inspector npm -pax_kernel -snapshot ssl system-icu -system-ssl -systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='-doc icu inspector npm -pax_kernel snapshot ssl system-icu -system-ssl -systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='doc icu -inspector npm pax_kernel snapshot ssl -system-icu system-ssl -systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='-doc -icu -inspector -npm -pax_kernel -snapshot ssl -system-icu system-ssl -systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='-doc icu inspector -npm -pax_kernel -snapshot ssl system-icu system-ssl -systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='-doc icu inspector npm pax_kernel snapshot ssl -system-icu -system-ssl systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='doc icu -inspector -npm pax_kernel snapshot ssl -system-icu system-ssl systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='-doc icu -inspector -npm -pax_kernel -snapshot ssl -system-icu system-ssl systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='-doc icu inspector npm -pax_kernel -snapshot ssl system-icu system-ssl systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='-doc icu -inspector -npm pax_kernel -snapshot ssl system-icu system-ssl systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='doc icu -inspector npm pax_kernel snapshot ssl system-icu system-ssl systemtap' succeeded for =net-libs/nodejs-14.15.4
USE='-doc -icu -inspector -npm pax_kernel snapshot ssl -system-icu system-ssl systemtap' succeeded for =net-libs/nodejs-14.15.4
Comment 10 Marek Szuba gentoo-dev 2021-01-08 22:57:30 UTC
(In reply to ernsteiswuerfel from comment #9)

> 12.20.1 fails to build at all on ppc64.

Whee, this mksnapshot crap again. I've just re-added the old ppc64-fix patch to this ebuild, please try again.
Comment 11 ernsteiswuerfel 2021-01-09 18:02:46 UTC
(In reply to Marek Szuba from comment #10)
> (In reply to ernsteiswuerfel from comment #9)
> 
> > 12.20.1 fails to build at all on ppc64.
> 
> Whee, this mksnapshot crap again. I've just re-added the old ppc64-fix patch
> to this ebuild, please try again.
Thanks! With the patch all 12.20.1 tatt builds and the tests pass.
Comment 12 Sam James archtester gentoo-dev Security 2021-01-10 12:42:02 UTC
ppc64 done

all arches done
Comment 13 Larry the Git Cow gentoo-dev 2021-01-10 16:02:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=117f9248b0eb375dc69e45a7635185beca18e9be

commit 117f9248b0eb375dc69e45a7635185beca18e9be
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-01-10 16:01:02 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-01-10 16:01:02 +0000

    net-libs/nodejs: remove old
    
    No versions vulnerable to CVE-2020-8265, CVE-2020-8287 or CVE-2020-1971
    left in the tree.
    
    Bug: https://bugs.gentoo.org/763588
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest              |   3 -
 net-libs/nodejs/nodejs-12.19.1.ebuild | 218 ----------------------------------
 net-libs/nodejs/nodejs-14.15.0.ebuild | 202 -------------------------------
 net-libs/nodejs/nodejs-14.15.1.ebuild | 208 --------------------------------
 4 files changed, 631 deletions(-)
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-01-11 09:17:11 UTC
This issue was resolved and addressed in
 GLSA 202101-07 at https://security.gentoo.org/glsa/202101-07
by GLSA coordinator Sam James (sam_c).