A nodejs security update has been released for Fedora 31.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2020-595ce5e3cc
2020-01-24 17:07:54.394618
--------------------------------------------------------------------------------
Name : nodejs
Product : Fedora 31
Version : 12.14.1
Release : 3.fc31
URL : http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.
--------------------------------------------------------------------------------
Update Information:
Update to 12.14.1 Add new subpackage `nodejs-full-i18n` to provide non-English
locale and Unicode support.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 13 2020 Stephen Gallagher - 1:12.14.1-3
- Fix issue with header symlinks in v8-devel
* Tue Jan 7 2020 Stephen Gallagher - 1:12.14.1-2
- Drop unneeded dependency on http-parser-devel
* Tue Jan 7 2020 Stephen Gallagher - 1:12.14.1-1
- Update to 12.14.1
- https://github.com/nodejs/node/blob/v12.14.1/doc/changelogs/CHANGELOG_V12.md
* Mon Jan 6 2020 Stephen Gallagher - 1:12.14.0-2
- Update to 12.14.0
- https://github.com/nodejs/node/blob/v12.14.0/doc/changelogs/CHANGELOG_V12.md
- Add new subpackage nodejs-full-i18n to enable optional non-English locale
support
- Update documentation packaging for NPM
* Mon Dec 2 2019 Stephen Gallagher - 1:12.13.1-1
- Update to 12.13.1
- https://github.com/nodejs/node/blob/v12.13.1/doc/changelogs/CHANGELOG_V12.md
* Tue Oct 29 2019 Stephen Gallagher - 1:12.13.0-6
- Add proper i18n support
* Tue Oct 29 2019 Stephen Gallagher - 1:12.13.0-5
- Fix issue with NPM docs being replaced with a symlink
* Mon Oct 28 2019 Stephen Gallagher - 1:12.13.0-2
- Simplify npmrc default configuration
* Mon Oct 28 2019 Stephen Gallagher - 1:12.13.0-1
- Update to 12.13.0 (LTS)
- https://github.com/nodejs/node/blob/v12.13.0/doc/changelogs/CHANGELOG_V12.md
- NPM no longer clobbers RPM-installed Node.js modules
- Drop no-longer needed patch to suppress `npm update -g npm` message
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1767147 - CVE-2019-17592 nodejs-csv-parse: regular expression denial of service [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1767147
[ 2 ] Bug #1788312 - CVE-2019-16776 nodejs: Arbitrary file write via constructed entry in the package.json bin field [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1788312
[ 3 ] Bug #1788306 - CVE-2019-16775 nodejs: Symlink reference outside of node_modules folder through the bin field upon installation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1788306
[ 4 ] Bug #1788302 - CVE-2019-16777 nodejs: Global node_modules Binary Overwrite via npm CLI [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1788302
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-595ce5e3cc' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys