{"update": {"autokarma": true, "autotime": true, "stable_karma": 2, "stable_days": 7, "unstable_karma": -1, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "## 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau\n\nThis is a security release.\n\n### Notable Changes\n\nThe following CVEs are fixed in this release:\n\n* **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High)\n* **[CVE-2023-23919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)\n* **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU\\_DATA environment variable (Low)\n\nFixed by an update to undici:\n\n* **[CVE-2023-23936](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936)**: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)\n  * See <https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff> for more information.\n* **[CVE-2023-24807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807)**: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)\n  * See <https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w> for more information.\n\nMore detailed information on each of the vulnerabilities can be found in [February 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/) blog post.\n\nThis security release includes OpenSSL security updates as outlined in the recent\n[OpenSSL security advisory](https://www.openssl.org/news/secadv/20230207.txt).\n\n### Commits\n\n* \\[[`7fef050447`](https://github.com/nodejs/node/commit/7fef050447)] - **build**: build ICU with ICU\\_NO\\_USER\\_DATA\\_OVERRIDE (RafaelGSS) [nodejs-private/node-private#374](https://github.com/nodejs-private/node-private/pull/374)\n* \\[[`b558e9f476`](https://github.com/nodejs/node/commit/b558e9f476)] - **crypto**: clear OpenSSL error on invalid ca cert (RafaelGSS) [nodejs-private/node-private#375](https://github.com/nodejs-private/node-private/pull/375)\n* \\[[`160adb7ffc`](https://github.com/nodejs/node/commit/160adb7ffc)] - **crypto**: clear OpenSSL error queue after calling X509\\_check\\_private\\_key() (Filip Skokan) [#45495](https://github.com/nodejs/node/pull/45495)\n* \\[[`d0ece30948`](https://github.com/nodejs/node/commit/d0ece30948)] - **crypto**: clear OpenSSL error queue after calling X509\\_verify() (Takuro Sato) [#45377](https://github.com/nodejs/node/pull/45377)\n* \\[[`2d9ae4f184`](https://github.com/nodejs/node/commit/2d9ae4f184)] - **deps**: update undici to v5.19.1 (Matteo Collina) [nodejs-private/node-private#388](https://github.com/nodejs-private/node-private/pull/388)\n* \\[[`d80e8312fd`](https://github.com/nodejs/node/commit/d80e8312fd)] - **deps**: cherry-pick Windows ARM64 fix for openssl (Richard Lau) [#46568](https://github.com/nodejs/node/pull/46568)\n* \\[[`de5c8d2c2f`](https://github.com/nodejs/node/commit/de5c8d2c2f)] - **deps**: update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS) [#46568](https://github.com/nodejs/node/pull/46568)\n* \\[[`1a8ccfe908`](https://github.com/nodejs/node/commit/1a8ccfe908)] - **deps**: upgrade openssl sources to OpenSSL\\_1\\_1\\_1t+quic (RafaelGSS) [#46568](https://github.com/nodejs/node/pull/46568)\n* \\[[`693789780b`](https://github.com/nodejs/node/commit/693789780b)] - **doc**: clarify release notes for Node.js 16.19.0 (Richard Lau) [#45846](https://github.com/nodejs/node/pull/45846)\n* \\[[`f95ef064f4`](https://github.com/nodejs/node/commit/f95ef064f4)] - **lib**: makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs-private/node-private#358](https://github.com/nodejs-private/node-private/pull/358)\n* \\[[`b02d895137`](https://github.com/nodejs/node/commit/b02d895137)] - **policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs-private/node-private#358](https://github.com/nodejs-private/node-private/pull/358)\n* \\[[`d7f83c420c`](https://github.com/nodejs/node/commit/d7f83c420c)] - **test**: avoid left behind child processes (Richard Lau) [#46276](https://github.com/nodejs/node/pull/46276)", "type": "security", "status": "obsolete", "request": null, "severity": "medium", "suggest": "unspecified", "locked": false, "pushed": false, "critpath": false, "critpath_groups": "", "close_bugs": true, "date_submitted": "2023-03-02 15:15:24", "date_modified": null, "date_approved": null, "date_testing": "2023-03-03 02:25:16", "date_stable": null, "alias": "FEDORA-2023-dc70a91343", "test_gating_status": "failed", "from_tag": null, "date_pushed": "2023-03-03 02:25:16", "meets_testing_requirements": false, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2023-dc70a91343", "title": "nodejs16-16.19.1-4.fc37", "version_hash": "e9bb643ee04fe169103a4b1761042e91fa7bad18", "release": {"name": "F37", "long_name": "Fedora 37", "version": "37", "id_prefix": "FEDORA", "branch": "f37", "dist_tag": "f37", "stable_tag": "f37-updates", "testing_tag": "f37-updates-testing", "candidate_tag": "f37-updates-candidate", "pending_signing_tag": "f37-signing-pending", "pending_testing_tag": "f37-updates-testing-pending", "pending_stable_tag": "f37-updates-pending", "override_tag": "f37-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": false, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": "2023-12-05", "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "sgallagh", "email": "sgallagh@redhat.com", "id": 535, "avatar": "https://seccdn.libravatar.org/avatar/bf298fff6edef11d0f53e6bd1fb1e649c131b75ad7200ab134883e8603591405?s=24&d=retro", "openid": "sgallagh.id.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "nodejs-sig"}, {"name": "eln-sig"}, {"name": "gitding-libs"}, {"name": "gitroller-derby"}, {"name": "communishift"}, {"name": "sysadmin-noc"}, {"name": "gitnodejs-packaging"}, {"name": "fedorabugs"}, {"name": "signed_fpca"}, {"name": "gitspin-kickstarts"}, {"name": "fesco"}, {"name": "epel-cabal"}, {"name": "gitsssd"}, {"name": "sysadmin"}, {"name": "modularity-wg"}, {"name": "cockpit-jenkins"}, {"name": "gitcura"}, {"name": "gitrolekit"}, {"name": "ipausers"}, {"name": "gitelapi"}, {"name": "cockpitteam"}, {"name": "server-wg"}, {"name": "fedora-contributor"}, {"name": "summer-coding"}, {"name": "bind-dyndb-ldap"}, {"name": "sysadmin-odcs"}, {"name": "gitlab-fedora-admin"}, {"name": "sysadmin-eln"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by sgallagh. ", "timestamp": "2023-03-02 15:15:24", "update_id": 490524, "user_id": 91, "id": 2926391, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'waiting'.", "timestamp": "2023-03-02 15:15:25", "update_id": 490524, "user_id": 91, "id": 2926392, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'failed'.", "timestamp": "2023-03-02 17:46:08", "update_id": 490524, "user_id": 91, "id": 2926582, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2023-03-03 02:26:51", "update_id": 490524, "user_id": 91, "id": 2929194, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 1, "karma_critpath": 0, "text": "", "timestamp": "2023-03-22 18:55:25", "update_id": 490524, "user_id": 6082, "id": 2956514, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "jrsanders", "email": "jr.sanders@safetymail.info", "id": 6082, "avatar": "https://seccdn.libravatar.org/avatar/1cac788ae5cabf98d16ceeb0b5be0ba27995cae8d198766beba9bfb8ad0e64b4?s=24&d=retro", "openid": "jrsanders.id.fedoraproject.org", "groups": [{"name": "ipausers"}]}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been obsoleted by [nodejs16-16.20.0-1.fc37](https://bodhi.fedoraproject.org/updates/FEDORA-2023-c9c9af3c3d).", "timestamp": "2023-03-30 16:07:30", "update_id": 490524, "user_id": 91, "id": 2968039, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "nodejs16-16.19.1-4.fc37", "signed": true, "release_id": 62, "type": "rpm", "epoch": 1}], "bugs": [], "updateid": "FEDORA-2023-dc70a91343", "karma": 1, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}