Aggregator

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel did not properly validate certain data structure fields when parsing lease contexts, leading to an out-of-bounds read vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-1194) Quentin Minster discovered that a race condition existed in the KSMBD implementation in the Linux kernel, leading to a use-after-free vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-32254) It was discovered that a race condition existed in the KSMBD implementation in the Linux kernel when handling session connections, leading to a use- after-free vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-32258) It was discovered that the KSMBD implementation in the Linux kernel did not properly validate buffer sizes in certain operations, leading to an integer underflow and out-of-bounds read vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-38427) Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel did not properly validate SMB request protocol IDs, leading to a out-of- bounds read vulnerability. A remote attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-38430) Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel did not properly validate packet header sizes in certain situations, leading to an out-of-bounds read vulnerability. A remote attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-38431) It was discovered that the KSMBD implementation in the Linux kernel did not properly handle session setup requests, leading to an out-of-bounds read vulnerability. A remote attacker could use this to expose sensitive information. (CVE-2023-3867) Pratyush Yadav discovered that the Xen network backend implementation in the Linux kernel did not properly handle zero length data request, leading to a null pointer dereference vulnerability. An attacker in a guest VM could possibly use this to cause a denial of service (host domain crash). (CVE-2023-46838) It was discovered that the IPv6 implementation of the Linux kernel did not properly manage route cache memory usage. A remote attacker could use this to cause a denial of service (memory exhaustion). (CVE-2023-52340) It was discovered that the device mapper driver in the Linux kernel did not properly validate target size during certain memory allocations. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-52429, CVE-2024-23851) Yang Chaoming discovered that the KSMBD implementation in the Linux kernel did not properly validate request buffer sizes, leading to an out-of-bounds read vulnerability. An attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2024-22705) Chenyuan Yang discovered that the btrfs file system in the Linux kernel did not properly handle read operations on newly created subvolumes in certain conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-23850) It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel, leading to a null pointer dereference vulnerability. A privileged local attacker could use this to possibly cause a denial of service (system crash). (CVE-2024-24860) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Architecture specifics; - Block layer; - Cryptographic API; - Android drivers; - EDAC drivers; - GPU drivers; - Media drivers; - Multifunction device drivers; - MTD block device drivers; - Network drivers; - NVME drivers; - TTY drivers; - Userspace I/O drivers; - EFI Variable file system; - F2FS file system; - GFS2 file system; - SMB network file system; - BPF subsystem; - IPv6 Networking; - Network Traffic Control; - AppArmor security module; (CVE-2023-52463, CVE-2023-52445, CVE-2023-52462, CVE-2023-52609, CVE-2023-52448, CVE-2023-52457, CVE-2023-52464, CVE-2023-52456, CVE-2023-52454, CVE-2023-52438, CVE-2023-52480, CVE-2023-52443, CVE-2023-52442, CVE-2024-26631, CVE-2023-52439, CVE-2023-52612, CVE-2024-26598, CVE-2024-26586, CVE-2024-26589, CVE-2023-52444, CVE-2023-52436, CVE-2024-26633, CVE-2024-26597, CVE-2023-52458, CVE-2024-26591, CVE-2023-52449, CVE-2023-52467, CVE-2023-52441, CVE-2023-52610, CVE-2023-52451, CVE-2023-52469, CVE-2023-52470)

FEDORA-2024-5af98298c7 Packages in this update:

• xorg-x11-server-Xwayland-23.2.6-1.fc39

Update description:

xwayland 23.2.6 - CVE fix for CVE-2024-31080, CVE-2024-31081, CVE-2024-31083

FEDORA-2024-01a9916e9e Packages in this update:

• xorg-x11-server-Xwayland-23.2.6-1.fc40

Update description:

xwayland 23.2.6 - CVE fix for CVE-2024-31080, CVE-2024-31081, CVE-2024-31083

Pratyush Yadav discovered that the Xen network backend implementation in the Linux kernel did not properly handle zero length data request, leading to a null pointer dereference vulnerability. An attacker in a guest VM could possibly use this to cause a denial of service (host domain crash). (CVE-2023-46838) It was discovered that the Habana's AI Processors driver in the Linux kernel did not properly initialize certain data structures before passing them to user space. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2023-50431) It was discovered that the device mapper driver in the Linux kernel did not properly validate target size during certain memory allocations. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-52429, CVE-2024-23851) It was discovered that the CIFS network file system implementation in the Linux kernel did not properly validate certain SMB messages, leading to an out-of-bounds read vulnerability. An attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2023-6610) Yang Chaoming discovered that the KSMBD implementation in the Linux kernel did not properly validate request buffer sizes, leading to an out-of-bounds read vulnerability. An attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2024-22705) Chenyuan Yang discovered that the btrfs file system in the Linux kernel did not properly handle read operations on newly created subvolumes in certain conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-23850) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Android drivers; - Userspace I/O drivers; - F2FS file system; - SMB network file system; - Networking core; (CVE-2023-52434, CVE-2023-52436, CVE-2023-52435, CVE-2023-52439, CVE-2023-52438)

Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered that Bind icorrectly handled validating DNSSEC messages. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service. (CVE-2023-50387) It was discovered that Bind incorrectly handled preparing an NSEC3 closest encloser proof. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service. (CVE-2023-50868)

Version:next-20240409 (linux-next) Released:2024-04-09

FEDORA-2024-4691d60717 Packages in this update:

• yyjson-0.9.0-1.fc38

Update description:

Update to 0.9.0; fix rhbz#2274045 and rhbz#2266791; Security fix for CVE-2024-25713

FEDORA-2024-ef2e551fab Packages in this update:

• yyjson-0.9.0-1.fc39

Update description:

Update to 0.9.0; fix rhbz#2274045 and rhbz#2266791; Security fix for CVE-2024-25713

FEDORA-2024-8c48a81cb9 Packages in this update:

• yyjson-0.9.0-1.fc40

Update description:

Update to 0.9.0; fix rhbz#2274045 and rhbz#2266791; Security fix for CVE-2024-25713

FEDORA-2024-2a0f7e9e97 Packages in this update:

• yyjson-0.9.0-1.fc41

Update description:

Automatic update for yyjson-0.9.0-1.fc41.

Changelog * Tue Apr 9 2024 topazus <topazus@outlook.com> - 0.9.0-1 - Update to 0.9.0; fix rhbz#2274045 and rhbz#2266791

FEDORA-2024-2ec03ca8cb Packages in this update:

• python-django-4.2.11-2.fc39

Update description:

Security fix for CVE-2024-24680 and CVE-2024-27351

FEDORA-2024-5c7fb64c74 Packages in this update:

• python-django-4.2.11-2.fc40

Update description:

Security fix for CVE-2024-24680 and CVE-2024-27351

FEDORA-2024-c5c5671edb Packages in this update:

• python-django-4.2.11-1.fc41

Update description:

Automatic update for python-django-4.2.11-1.fc41.

Changelog * Mon Apr 8 2024 Michel Lind <salimma@fedoraproject.org> - 4.2.11-1 - Update to 4.2.11 - Resolves CVE-2024-24680 (rhbz#2263505) - Resolves CVE-2024-27351 (rhbz#2267654)

FEDORA-2024-25b66392e2 Packages in this update:

• nodejs20-20.12.1-3.fc40

Update description: 2024-04-03, Version 20.12.1 'Iron' (LTS), @RafaelGSS

This is a security release

Notable Changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
• llhttp version 9.2.1
• undici version 5.28.4

2024-03-26, Version 20.12.0 'Iron' (LTS), @richardlau Notable Changes crypto: implement crypto.hash()

This patch introduces a helper crypto.hash() that computes a digest from the input at one shot. This can be 1.2-2x faster than the object-based createHash() for smaller inputs (<= 5MB) that are readily available (not streamed) and incur less memory overhead since no intermediate objects will be created.

const crypto = require('node:crypto'); // Hashing a string and return the result as a hex-encoded string. const string = 'Node.js'; // 10b3493287f831e81a438811a1ffba01f8cec4b7 console.log(crypto.hash('sha1', string));

Contributed by Joyee Cheung in #51044.

Loading and parsing environment variables

• process.loadEnvFile(path):
• Use this function to load the .env file. If no path is specified, it automatically loads the .env file in the current directory. Example: process.loadEnvFile().

• Load a specific .env file by specifying its path. Example: process.loadEnvFile('./development.env').

• util.parseEnv(content):

• Use this function to parse an existing string containing environment variable assignments.
• Example usage: require('node:util').parseEnv('HELLO=world').

Contributed by Yagiz Nizipli in #51476.

New connection attempt events

Three new events were added in the net.createConnection flow:

• connectionAttempt: Emitted when a new connection attempt is established. In case of Happy Eyeballs, this might emitted multiple times.
• connectionAttemptFailed: Emitted when a connection attempt failed. In case of Happy Eyeballs, this might emitted multiple times.
• connectionAttemptTimeout: Emitted when a connection attempt timed out. In case of Happy Eyeballs, this will not be emitted for the last attempt. This is not emitted at all if Happy Eyeballs is not used.

Additionally, a previous bug has been fixed where a new connection attempt could have been started after a previous one failed and after the connection was destroyed by the user. This led to a failed assertion.

Contributed by Paolo Insogna in #51045.

Permission Model changes

Node.js 20.12.0 comes with several fixes for the experimental permission model and two new semver-minor commits. We're adding a new flag --allow-addons to enable addon usage when using the Permission Model.

$ node --experimental-permission --allow-addons

Contributed by Rafael Gonzaga in #51183

And relative paths are now supported through the --allow-fs-* flags. Therefore, with this release one can use:

$ node --experimental-permission --allow-fs-read=./index.js

To give only read access to the entrypoint of the application.

Contributed by Rafael Gonzaga and Carlos Espa in #50758.

sea: support embedding assets

Users can now include assets by adding a key-path dictionary to the configuration as the assets field. At build time, Node.js would read the assets from the specified paths and bundle them into the preparation blob. In the generated executable, users can retrieve the assets using the sea.getAsset() and sea.getAssetAsBlob() API.

{ "main": "/path/to/bundled/script.js", "output": "/path/to/write/the/generated/blob.blob", "assets": { "a.jpg": "/path/to/a.jpg", "b.txt": "/path/to/b.txt" } }

The single-executable application can access the assets as follows:

const { getAsset } = require('node:sea'); // Returns a copy of the data in an ArrayBuffer const image = getAsset('a.jpg'); // Returns a string decoded from the asset as UTF8. const text = getAsset('b.txt', 'utf8'); // Returns a Blob containing the asset without copying. const blob = getAssetAsBlob('a.jpg');

Contributed by Joyee Cheung in #50960.

Support configurable snapshot through --build-snapshot-config flag

We are adding a new flag --build-snapshot-config to configure snapshots through a custom JSON configuration file.

$ node --build-snapshot-config=/path/to/myconfig.json

When using this flag, additional script files provided on the command line will not be executed and instead be interpreted as regular command line arguments.

These changes were contributed by Joyee Cheung and Anna Henningsen in #50453

Text Styling

• util.styleText(format, text): This function returns a formatted text considering the format passed.

A new API has been created to format text based on util.inspect.colors, enabling you to style text in different colors (such as red, blue, ...) and emphasis (italic, bold, ...).

const { styleText } = require('node:util'); const errorMessage = styleText('red', 'Error! Error!'); console.log(errorMessage);

Contributed by Rafael Gonzaga in #51850.

vm: support using the default loader to handle dynamic import()

This patch adds support for using vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER as the importModuleDynamically option in all vm APIs that take this option except vm.SourceTextModule. This allows users to have a shortcut to support dynamic import() in the compiled code without missing the compilation cache if they don't need customization of the loading process. We emit an experimental warning when the import() is actually handled by the default loader through this option instead of requiring --experimental-vm-modules.

const { Script, constants } = require('node:vm'); const { resolve } = require('node:path'); const { writeFileSync } = require('node:fs'); // Write test.js and test.txt to the directory where the current script // being run is located. writeFileSync(resolve(__dirname, 'test.mjs'), 'export const filename = "./test.json";'); writeFileSync(resolve(__dirname, 'test.json'), '{"hello": "world"}'); // Compile a script that loads test.mjs and then test.json // as if the script is placed in the same directory. const script = new Script( `(async function() { const { filename } = await import('./test.mjs'); return import(filename, { with: { type: 'json' } }) })();`, { filename: resolve(__dirname, 'test-with-default.js'), importModuleDynamically: constants.USE_MAIN_CONTEXT_DEFAULT_LOADER, }); // { default: { hello: 'world' } } script.runInThisContext().then(console.log);

Contributed by Joyee Cheung in #51244.

Root certificates updated to NSS 3.98

Certificates added:

• Telekom Security TLS ECC Root 2020
• Telekom Security TLS RSA Root 2023

Certificates removed:

• Security Communication Root CA

Updated dependencies

• acorn updated to 8.11.3.
• ada updated to 2.7.6.
• base64 updated to 0.5.2.
• brotli updated to 1.1.0.
• c-ares updated to 1.27.0.
• corepack updated to 0.25.2.
• ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1.
• nghttp2 updated to 1.60.0.
• npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes.
• simdutf8 updated to 4.0.8.
• Timezone updated to 2024a.
• zlib updated to 1.3.0.1-motley-40e35a7.

Include Provides: nodejs20-* for non-versioned packages.

FEDORA-2024-91bb4ed803 Packages in this update:

• nodejs20-20.12.1-3.fc39

Update description: 2024-04-03, Version 20.12.1 'Iron' (LTS), @RafaelGSS

This is a security release

Notable Changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
• llhttp version 9.2.1
• undici version 5.28.4

FEDORA-2024-b96e2c3cc2 Packages in this update:

• wireshark-4.2.4-1.fc40

Update description:

New version 4.2.4. Includes a fix for CVE-2024-2955

FEDORA-2024-f644a5709c Packages in this update:

• wireshark-4.0.14-1.fc39

Update description:

New version 4.2.4. Includes a fix for CVE-2024-2955

Simon Charette discovered that the password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts.

FEDORA-2024-0c9aaeb447 Packages in this update:

• python-cbor2-5.6.2-1.fc38

Update description:

Update to latest upstream release (closes rhbz#2261550, closes rhbz#2245361)

FEDORA-2024-4bbd13d425 Packages in this update:

• python-cbor2-5.6.2-1.fc39

Update description:

Update to latest upstream release (closes rhbz#2261550, closes rhbz#2245361)