Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831037 (CVE-2021-44531, CVE-2021-44532, CVE-2021-44533, CVE-2022-21824) - <net-libs/nodejs-{12.22.10,14.19.0,16.14.1}: multiple vulnerabilities
Summary: <net-libs/nodejs-{12.22.10,14.19.0,16.14.1}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-44531, CVE-2021-44532, CVE-2021-44533, CVE-2022-21824
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: B3 [stable]
Keywords:
: 831351 (view as bug list)
Depends on: 835588
Blocks:
  Show dependency tree
 
Reported: 2022-01-11 21:00 UTC by John Helmert III
Modified: 2022-03-19 05:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2022-01-11 21:00:47 UTC
Four vulnerabilities published yesterday:

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Seems fixed versions are 12.22.9, 14.18.3, 16.13.2, 17.3.1.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-17 11:55:27 UTC
*** Bug 831351 has been marked as a duplicate of this bug. ***
Comment 2 Thomas Stein 2022-03-11 11:09:52 UTC
May I ask what prevents us from updating the nodejs ebuilds? Seems this bug ist marked of a bug which is in turn marked as a bug of this on.
Comment 3 Thomas Stein 2022-03-11 11:10:56 UTC
I meant duplicate of course. :)
Comment 4 John Helmert III gentoo-dev Security 2022-03-12 22:09:53 UTC
(In reply to Thomas Stein from comment #2)
> May I ask what prevents us from updating the nodejs ebuilds? Seems this bug
> ist marked of a bug which is in turn marked as a bug of this on.

Presumably just maintainer time. NodeJS is somewhat notorious for requiring lots of maintenance time. That said: ping, William.
Comment 5 William Hubbs gentoo-dev 2022-03-16 14:35:28 UTC
I'll work on these bumps today.
Comment 6 Larry the Git Cow gentoo-dev 2022-03-17 21:39:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6286012b3486b92a400cd116512f807a9b20dcb

commit b6286012b3486b92a400cd116512f807a9b20dcb
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-03-17 21:39:19 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-03-17 21:39:19 +0000

    net-libs/nodejs: add 12.22.10
    
    Bug: https://bugs.gentoo.org/831037
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest                           |   1 +
 .../files/nodejs-12.22.10-global-npm-config.patch  |  20 ++
 net-libs/nodejs/nodejs-12.22.10.ebuild             | 249 +++++++++++++++++++++
 3 files changed, 270 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d409d22398cb3d4937d00663d3fdaed05f19763

commit 4d409d22398cb3d4937d00663d3fdaed05f19763
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-03-17 21:39:18 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-03-17 21:39:18 +0000

    net-libs/nodejs: add 14.19.0
    
    Bug: https://bugs.gentoo.org/831037
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest                           |   1 +
 .../files/nodejs-14.19.0-global-npm-config.patch   |  20 ++
 net-libs/nodejs/nodejs-14.19.0.ebuild              | 241 +++++++++++++++++++++
 3 files changed, 262 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9ef8e6d6d46839f8801ccbf71da5e1229eb0c3d

commit a9ef8e6d6d46839f8801ccbf71da5e1229eb0c3d
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-03-17 21:39:18 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-03-17 21:39:18 +0000

    net-libs/nodejs: add 16.14.1
    
    Bug: https://bugs.gentoo.org/831037
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   1 +
 net-libs/nodejs/nodejs-16.14.1.ebuild | 230 ++++++++++++++++++++++++++++++++++
 2 files changed, 231 insertions(+)
Comment 7 John Helmert III gentoo-dev Security 2022-03-18 01:35:15 UTC
Thanks! Please stabilize fixed 12.x and 14.x versions.