nodejs16-16.20.2-1.fc37 nodejs18-18.17.1-1.fc37 nodejs20-20.5.1-1.fc37

Read Time:4 Minute, 51 Second

FEDORA-2023-18476abd7e

Packages in this update:

nodejs16-16.20.2-1.fc37
nodejs18-18.17.1-1.fc37
nodejs20-20.5.1-1.fc37

Update description:

https://nodejs.org/en/blog/vulnerability/august-2023-security-releases

Security releases available
Updates are now available for the v16.x, v18.x, and v20.x Node.js release lines for the following issues.

Permissions policies can be bypassed via Module._load (HIGH)(CVE-2023-32002)
The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to mattaustin for reporting this vulnerability and thank you Rafael Gonzaga and Bradley Farias for fixing it.

Permission model bypass by specifying a path traversal sequence in a Buffer (HIGH)(CVE-2023-32004)
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.

process.binding() can bypass the permission model through path traversal (HIGH)(CVE-2023-32558)
The use of the deprecated API process.binding() can bypass the permission model through path traversal.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you to Rafael Gonzaga for reporting and fixing this vulnerability.

Permissions policies can impersonate other modules in using module.constructor.createRequire() (MEDIUM)(CVE-2023-32006)
The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga and Bradley Farias for fixing it.

Permissions policies can be bypassed via process.binding (MEDIUM)(CVE-2023-32559)
The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding(‘spawn_sync’) run arbitrary code, outside of the limits defined in a policy.json file.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Impacts

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to LeoDog896 for reporting this vulnerability and thank you Tobias Nießen for fixing it.

fs.statfs can retrive stats from files restricted by the Permission Model (LOW)(CVE-2023-32005)
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the –allow-fs-read flag is used with a non-* argument.

This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you to Rafael Gonzaga for reporting and fixing this vulnerability.

fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks (LOW)(CVE-2023-32003)
fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.

Downloads and release details
Node.js v16.20.2 (LTS)
Node.js v18.17.1 (LTS)
Node.js v20.5.1 (Current)
(Update 08-Aug-2023) Security Release target August 9th
The Node.js Security Releases will be available on, or shortly after, Wednesday, August 9th, 2023.

Summary
The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday August 8th 2023 in order to address:

3 high severity issues.
2 medium severity issues.
2 low severity issues.
OpenSSL Security updates
This security release includes the following OpenSSL security updates

OpenSSL security advisory 14th July.
OpenSSL security advisory 19th July.
OpenSSL security advisory 31st July.
Impact
The 20.x release line of Node.js is vulnerable to 3 high severity issues, 2 medium severity issues, and 2 low severity issues.

The 18.x release line of Node.js is vulnerable to 1 high severity issue, and 2 medium severity issues.

The 16.x release line of Node.js is vulnerable to 1 high severity issue, and 2 medium severity issues.

Read More

nodejs16-16.20.2-1.fc38 nodejs18-18.17.1-1.fc38 nodejs20-20.5.1-1.fc38

Read Time:4 Minute, 51 Second

FEDORA-2023-d12a917ab4

Packages in this update:

nodejs16-16.20.2-1.fc38
nodejs18-18.17.1-1.fc38
nodejs20-20.5.1-1.fc38

Update description:

https://nodejs.org/en/blog/vulnerability/august-2023-security-releases

Security releases available
Updates are now available for the v16.x, v18.x, and v20.x Node.js release lines for the following issues.

Permissions policies can be bypassed via Module._load (HIGH)(CVE-2023-32002)
The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to mattaustin for reporting this vulnerability and thank you Rafael Gonzaga and Bradley Farias for fixing it.

Permission model bypass by specifying a path traversal sequence in a Buffer (HIGH)(CVE-2023-32004)
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.

process.binding() can bypass the permission model through path traversal (HIGH)(CVE-2023-32558)
The use of the deprecated API process.binding() can bypass the permission model through path traversal.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you to Rafael Gonzaga for reporting and fixing this vulnerability.

Permissions policies can impersonate other modules in using module.constructor.createRequire() (MEDIUM)(CVE-2023-32006)
The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga and Bradley Farias for fixing it.

Permissions policies can be bypassed via process.binding (MEDIUM)(CVE-2023-32559)
The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding(‘spawn_sync’) run arbitrary code, outside of the limits defined in a policy.json file.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Impacts

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Thank you, to LeoDog896 for reporting this vulnerability and thank you Tobias Nießen for fixing it.

fs.statfs can retrive stats from files restricted by the Permission Model (LOW)(CVE-2023-32005)
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the –allow-fs-read flag is used with a non-* argument.

This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you to Rafael Gonzaga for reporting and fixing this vulnerability.

fs.mkdtemp() and fs.mkdtempSync() are missing getValidatedPath() checks (LOW)(CVE-2023-32003)
fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental permission model in Node.js 20.
Thank you, to Axel Chong for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.

Downloads and release details
Node.js v16.20.2 (LTS)
Node.js v18.17.1 (LTS)
Node.js v20.5.1 (Current)
(Update 08-Aug-2023) Security Release target August 9th
The Node.js Security Releases will be available on, or shortly after, Wednesday, August 9th, 2023.

Summary
The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday August 8th 2023 in order to address:

3 high severity issues.
2 medium severity issues.
2 low severity issues.
OpenSSL Security updates
This security release includes the following OpenSSL security updates

OpenSSL security advisory 14th July.
OpenSSL security advisory 19th July.
OpenSSL security advisory 31st July.
Impact
The 20.x release line of Node.js is vulnerable to 3 high severity issues, 2 medium severity issues, and 2 low severity issues.

The 18.x release line of Node.js is vulnerable to 1 high severity issue, and 2 medium severity issues.

The 16.x release line of Node.js is vulnerable to 1 high severity issue, and 2 medium severity issues.

Read More

Rhysida ransomware – what you need to know

Read Time:14 Second

Rhysida is a Windows-based ransomware operation that has come to prominence since May 2023, after being linked to a series of high profile cyber attacks in Western Europe, North and South America, and Australia.

Learn more in my article on the Tripwire State of Security blog.

Read More

linux-firmware-20230804-153.fc37

Read Time:1 Minute, 40 Second

FEDORA-2023-eabbf4ca4d

Packages in this update:

linux-firmware-20230804-153.fc37

Update description:

New firmware for AMD Zen CPUs to mitigate the AMD ‘Inception’ attack. Only needed for affected AMD users.

Update to upstream 20230804 release:

Split out QCom Arm IP firmware
Merge Marvell libertas WiFi firmware
Mellanox: Add new mlxsw_spectrum firmware xx.2012.1012
Add URL for latest FW binaries for NXP BT chipsets
rtw89: 8851b: update firmware to v0.29.41.1
qcom: sdm845: add RB3 sensors DSP firmware
amdgpu: Update DMCUB for DCN314 & Yellow Carp
ice: add LAG-supporting DDP package
i915: Update MTL DMC to v2.13
i915: Update ADLP DMC to v2.20
cirrus: Add CS35L41 firmware for Dell Oasis Models
copy-firmware: Fix linking directories when using compression
copy-firmware: Fix test: unexpected operator
qcom: sc8280xp: LENOVO: remove directory sym link
qcom: sc8280xp: LENOVO: Remove execute bits
amdgpu: update VCN 4.0.0 firmware
amdgpu: add initial SMU 13.0.10 firmware
amdgpu: add initial SDMA 6.0.3 firmware
amdgpu: add initial PSP 13.0.10 firmware
amdgpu: add initial GC 11.0.3 firmware
Update AMD fam17h cpu microcode
Update AMD cpu microcode
amdgpu: update various generation VCN firmware
amdgpu: update DMCUB to v0.0.175.0 for various AMDGPU ASICs
Updated NXP SR150 UWB firmware
wfx: update to firmware 3.16.1
mediatek: Update mt8195 SCP firmware to support 10bit mode
i915: update DG2 GuC to v70.8.0
i915: update to GuC 70.8.0 and HuC 8.5.1 for MTL
cirrus: Add CS35L41 firmware for ASUS ROG 2023 Models
Partially revert “amdgpu: DMCUB updates for DCN 3.1.4 and 3.1.5”
Update firmware for MT7922 WiFi/Bluetooth device
Update firmware file for Intel Bluetooth AX200/201/203/210/211
Fix qcom ASoC tglp WHENCE entry
check_whence: Check link targets are valid
iwlwifi: add new FWs from core80-39 release
iwlwifi: update cc/Qu/QuZ firmwares for core80-39 release
qcom: Add Audio firmware for SC8280XP X13s

Read More