ELSA-2025-8514

Опубликовано: 11 июн. 2025

Источник: oracle-oval

Платформа: Oracle Linux 8

Описание

ELSA-2025-8514: nodejs:20 security update (IMPORTANT)

nodejs [1:20.19.2-1]

Update to version 20.19.2 Fixes: CVE-2025-23166 Resolves: RHEL-91595 RHEL-89598 RHEL-92854

[1:20.19.1-1]

Update to version 20.19.1 Resolves: RHEL-78763

[1:20.18.2-4]

Update c-ares to 1.34.5 to address CVE-2025-31498

[1:20.18.2-3]

Remove obsolete lua pretransaction script from spec file Resolves: RHEL-81125

[1:20.18.2-2]

Disable npm's update-notifier Resolves: RHEL-81077

[1:20.18.2-1]

Update to version 20.18.2 Fixes: CVE-2025-23083 CVE-2025-23085 CVE-2025-22150 Resolves: RHEL-76001 RHEL-76146

[1:20.16.0-1]

Update to 20.16.0 Fixes: CVE-2024-36137 CVE-2024-22018 CVE-2024-22020

[1:20.12.2-2]

Backport nghttp2 patch for CVE-2024-28182

[1:20.12.2-1]

Rebase to version 20.12.0 Addresses CVE-2024-27983 CVE-2024-27982 CVE-2024-22025 (node) Addresses CVE-2024-25629 (c-ares)

[1:20.11.1-1]

Rebase to version 20.11.1
Fixes: CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 (high)
Fixes: CVE-2023-46809 CVE-2024-21890 CVE-2024-21891 (medium)

[1:20.11.0-1]

Rebase to version 20.11.0
Resolves: RHEL-21434

[1:20.9.0-1]

Rebase to LTS
Resolves: RHEL-16159

[1:20.8.1-1]

Update node and nghttp
Add fips patch
Fixes CVE-2023-44487 (nghttp)
Fixes CVE-2023-45143, CVE-2023-39331, CVE-2023-39332, CVE-2023-38552, CVE-2023-39333

[1:20.5.1-1]

Rebase to new security release
Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high)
Address CVE-2023-32006, CVE-2023-32559 (medium)
Address CVE-2023-32005, CVE-2023-32003 (low)
Resolves: #2186718
Resolves RHELPLAN-155624

[1:20.5.0-1]

Update to v20.5.0
Remove dtrace support
bcond corepack, so we don't provide it by default
Decrease debuginfo verbosity for all arches
Resolves: #2186718
Resolves RHELPLAN-155624

[1:18.16.1-1]

Rebase to 18.16.1 Resolves: rhbz#2188290 rhbz#2166926 Resolves: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Replace /usr/etc/npmrc symlink with builtin configuration Resolves: rhbz#2222287

[1:18.14.2-3]

Update bundled c-ares to 1.19.1 Resolves: CVE-2022-4904 Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067

[1:18.14.2-2]

Provide simduft

[1:18.14.2-1]

Rebase to 18.14.2
Resolves: #2178086
Resolves: CVE-2022-25881, CVE-2023-23936, CVE-2023-24807
Resolves: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920

[1:18.12.1-2]

Update version of bundled histogram

[1:18.12.1-1]

Rebase to version 18.12.1 Resolves: rhbz#2125580 CVE-2022-43548 CVE-2022-3517

[1:18.9.1-1]

Rebase to version 18.9.1 Resolves: CVE-2022-35255 CVE-2022-35256

[1:18.8.0-1]

Rebase to version 18.8.0
Include sources for WASM blobs

[1:18.6.0-1]

Rebase to version 18.6.0 Resolves: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 Resolves: CVE-2022-29244

[1:18.2.0-1]

Rebase to version 18.2.0

[1:16.14.0-5]

Unify configure calls into single command
Refactor bootstrap-related parts
Decouple dependency bundling from bootstrapping

[1:16.14.0-4]

Apply lock file validation fixes
Resolves: CVE-2021-43616
Resolves: RHBZ#2070013

[1:16.13.1-3]

Resolves: RHBZ#2026329
Add corepack to spec

[1:16.13.1-2]

Resolves: RHBZ#2026329
Update npm version test

[1:16.13.1-1]

Resolves: RHBZ#2014132, RHBZ#2014126, RHBZ#2013828, RHBZ#2024920
Resolves: RHBZ#2026329
Rebase to LTS release and to fix multiple low and medium CVEs

[1:16.8.0-1]

Resolves CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712
Resolves: RHBZ#1993948, RHBZ#1993941, RHBZ#2000151, RHBZ#2002176

[1:16.7.0-2]

Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,
CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810
Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963
fix python3 in gyp

[1:16.7.0-1]

Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,
CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810
Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963

[1:16.4.2-1]

Resolves: RHBZ#1979847
Resolves CVE-2021-22918(libuv)
Use system cipher list(1842826, 1952915)

[1:16.1.0-1]

Resolves: RHBZ#1953991
Rebase to v16.x
Update version of gcc and gcc-c++ needed
Remove libs conditionals
Remove unused patches
Bundle nghttp3 and ngtcp2

[1:14.16.0-2]

Resolves RHBZ#1930775
remove --debug-nghttp2 option

[1:14.16.0-1]

Resolves CVE-2021-22883 CVE-2021-22884
Resolves: RHBZ#1934566, RHBZ#1934599
Rebase, remove ini patch

[1:14.15.4-2]

Add patch for yarn crash
Resolves: RHBZ#1915296

[1:14.15.4-1]

Security rebase to 14.15.4
https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
Resolves: RHBZ#1913001, RHBZ#1912953
Resolves: RHBZ#1912636, RHBZ#1898602, RHBZ#1898768, RHBZ#1893987, RHBZ#1893184

[1:14.15.0-1]

Resolves: RHBZ#1858864
Update to LTS release

[1:14.11.0-1]

Security update to 14.11.0

[1:14.4.0-1]

Security update to 14.4.0
Resolves: RHBZ#1815402

[1:14.3.0-1]

Update to 14.3.0
Fix optflags to save memory
Resolves: RHBZ#1815402

[1:14.2.0-1]

Update to 14.2.0
build with python3 only
some clean up

[1:12.16.1-2]

Fix CVE-2020-10531

[1:12.16.1-1]

Rebase to 12.16.1

[1:12.14.1-1]

Rebase to 12.14.1

[1:12.13.1-1]

Resolves: RHBZ# 1773503, update to 12.13.1
minor clean up and sync with Fedora spec
turn off debug builds

[1:12.4.0-2]

Add condition to libs

[1:12.4.0-1]

Update to v12.x
Add v8-devel and libs subpackages from fedora

[1:10.14.1-2]

move nodejs-packaging BR out of conditional

[1:10.14.1-1]

Resolves RHBZ#1644207
fixes node-gyp permissions
rebase

[1:10.11.0-2]

BuildRequire nodejs-packaging for proper npm dependency generation
Resolves: rhbz#1615947

[1:10.11.0-1]

Rebase to 10.11.0
Import changes from fedora
Resolves: rhbz#1621766

[1:10.7.0-5]

Import sources from fedora
Allow using python2 at %build and %install
turn off debug for aarch64

[1:10.7.0-4]

Fix npm upgrade scriptlet
Fix unexpected trailing .1 in npm release field

[1:10.7.0-3]

Restore annotations to binaries
Fix unexpected trailing .1 in release field

[1:10.7.0-2]

Update to 10.7.0
https://nodejs.org/en/blog/release/v10.7.0/
https://nodejs.org/en/blog/release/v10.6.0/

[1:10.5.0-1.1]

Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

[1:10.5.0-1]

Update to 10.5.0
https://nodejs.org/en/blog/release/v10.5.0/

[1:10.4.1-1]

Update to 10.4.1 to address security issues
https://nodejs.org/en/blog/release/v10.4.1/
Resolves: rhbz#1590801
Resolves: rhbz#1591014
Resolves: rhbz#1591019

[1:10.4.0-1]

Update to 10.4.0
https://nodejs.org/en/blog/release/v10.4.0/

[1:10.3.0-1]

Update to 10.3.0
Update npm to 6.1.0
https://nodejs.org/en/blog/release/v10.3.0/

[1:10.2.1-2]

Fix up bare 'python' to be python2
Drop redundant entry in docs section

[1:10.2.1-1]

Update to 10.2.1
https://nodejs.org/en/blog/release/v10.2.1/

[1:10.2.0-1]

Update to 10.2.0
https://nodejs.org/en/blog/release/v10.2.0/

[1:10.1.0-3]

Fix incorrect rpm macro

[1:10.1.0-2]

Include upstream v8 fix for ppc64[le]
Disable debug build on ppc64[le] and s390x

[1:10.1.0-1]

Update to 10.1.0
https://nodejs.org/en/blog/release/v10.1.0/
Reenable node_g binary

[1:10.0.0-1]

Update to 10.0.0
https://nodejs.org/en/blog/release/v10.0.0/
Drop workaround patch
Temporarily drop node_g binary due to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85587

[1:9.11.1-2]

Use standard Fedora linker flags (bug #1543859)

[1:9.11.1-1]

Update to 9.11.1
https://nodejs.org/en/blog/release/v9.11.0/
https://nodejs.org/en/blog/release/v9.11.1/

[1:9.10.0-1]

Update to 9.10.0
https://nodejs.org/en/blog/release/v9.10.0/

[1:9.9.0-1]

Update to 9.9.0
https://nodejs.org/en/blog/release/v9.9.0/

[1:9.8.0-1]

Update to 9.8.0
https://nodejs.org/en/blog/release/v9.8.0/

[1:9.7.0-1]

Update to 9.7.0
https://nodejs.org/en/blog/release/v9.7.0/
Work around F28 build issue

[1:9.6.1-1]

Update to 9.6.1
https://nodejs.org/en/blog/release/v9.6.1/
https://nodejs.org/en/blog/release/v9.6.0/

[1:9.5.0-1]

Package Node.js 9.5.0

[1:8.9.4-2]

Fix incorrect Requires:

[1:8.9.4-1]

Update to 8.9.4
https://nodejs.org/en/blog/release/v8.9.4/
Switch to system copy of nghttp2

[1:8.9.3-2]

Update to 8.9.3
https://nodejs.org/en/blog/release/v8.9.3/
https://nodejs.org/en/blog/release/v8.9.2/

[1:8.9.1-2]

Rebuild for ICU 60.1

[1:8.9.1-1]

Update to 8.9.1

[1:8.9.0-1]

Update to 8.9.0
Drop upstreamed patch

[1:8.8.1-1]

Update to 8.8.1 to fix a regression

[1:8.8.0-1]

Security update to 8.8.0
https://nodejs.org/en/blog/release/v8.8.0/

[1:8.7.0-1]

Update to 8.7.0
https://nodejs.org/en/blog/release/v8.7.0/

[1:8.6.0-2]

Use bcond macro instead of bootstrap conditional

[1:8.6.0-1]

Fix nghttp2 version
Update to 8.6.0
https://nodejs.org/en/blog/release/v8.6.0/

[1:8.5.0-3]

Build with bootstrap + bundle libuv for modularity
backport patch for aarch64 debug build

[1:8.5.0-2]

Disable debug builds on aarch64 due to https://github.com/nodejs/node/issues/15395

[1:8.5.0-1]

Update to v8.5.0
https://nodejs.org/en/blog/release/v8.5.0/

[1:8.4.0-2]

Refactor openssl BR

[1:8.4.0-1]

Update to v8.4.0
https://nodejs.org/en/blog/release/v8.4.0/
http2 is now supported, add bundled nghttp2
remove openssl 1.0.1 patches, we won't be using them in fedora

[1:8.3.0-1]

Update to v8.3.0
https://nodejs.org/en/blog/release/v8.3.0/
update V8 to 6.0
update minimal gcc and g++ requirements to 4.9.4

[1:8.2.1-2]

Bump release to fix broken dependencies

[1:8.2.1-1.2]

Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

[1:8.2.1-1.1]

Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

[1:8.2.1-1]

Update to v8.2.1
https://nodejs.org/en/blog/release/v8.2.1/

[1:8.2.0-1]

Update to v8.2.0
https://nodejs.org/en/blog/release/v8.2.0/
Update npm to 5.3.0
Adds npx command

[1:8.1.4-3]

s/BuildRequires/Requires/ for http-parser-devel%{?_isa}

[1:8.1.4-2]

Rename python-devel to python2-devel
own %{_pkgdocdir}/npm

[1:8.1.4-1]

Update to v8.1.4
https://nodejs.org/en/blog/release/v8.1.4/
Drop upstreamed c-ares patch

[1:8.1.3-1]

Update to v8.1.3
https://nodejs.org/en/blog/release/v8.1.3/

[1:8.1.2-1]

Update to v8.1.2
remove GCC 7 patch, as it is now fixed in node >= 6.12

nodejs-nodemon nodejs-packaging

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

Module nodejs:20 is enabled

nodejs

20.19.2-1.module+el8.10.0+90611+29f3ae1e

nodejs-devel

20.19.2-1.module+el8.10.0+90611+29f3ae1e

nodejs-docs

20.19.2-1.module+el8.10.0+90611+29f3ae1e

nodejs-full-i18n

20.19.2-1.module+el8.10.0+90611+29f3ae1e

nodejs-nodemon

3.0.1-1.module+el8.10.0+90611+29f3ae1e

nodejs-packaging

2021.06-4.module+el8.10.0+90611+29f3ae1e

nodejs-packaging-bundler

2021.06-4.module+el8.10.0+90611+29f3ae1e

npm

10.8.2-1.20.19.2.1.module+el8.10.0+90611+29f3ae1e

Oracle Linux x86_64

Module nodejs:20 is enabled

nodejs

20.19.2-1.module+el8.10.0+90611+29f3ae1e

nodejs-devel

20.19.2-1.module+el8.10.0+90611+29f3ae1e

nodejs-docs

20.19.2-1.module+el8.10.0+90611+29f3ae1e

nodejs-full-i18n

20.19.2-1.module+el8.10.0+90611+29f3ae1e

nodejs-nodemon

3.0.1-1.module+el8.10.0+90611+29f3ae1e

nodejs-packaging

2021.06-4.module+el8.10.0+90611+29f3ae1e

nodejs-packaging-bundler

2021.06-4.module+el8.10.0+90611+29f3ae1e

npm

10.8.2-1.20.19.2.1.module+el8.10.0+90611+29f3ae1e

Связанные CVE

CVE-2025-23166

Ссылки на источники

Связанные уязвимости

CVE-2025-23166

CVSS3: 7.5

ubuntu

около 1 месяца назад

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.