FEDORA-2026-0f43f09cd9 — security update for nodejs20

testing

nodejs20-20.20.2-4.fc42

FEDORA-2026-0f43f09cd9 created by aradchen 6 days ago for Fedora 42

Update for nodejs20

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-0f43f09cd9

This update has been submitted for testing by aradchen.

6 days ago

This update's test gating status has been changed to 'waiting'.

6 days ago

This update's test gating status has been changed to 'failed'.

6 days ago

This update's test gating status has been changed to 'passed'.

6 days ago

This update has been pushed to testing.

5 days ago

Please log in to add feedback.

Metadata

Type

security

Karma

Signed

Content Type

RPM

Test Gating

passed

Autopush Settings

Unstable by Karma

-3

Stable by Karma

Stable by Time

7 days

Thresholds

Minimum Karma

Minimum Testing

7 days

Dates

submitted

6 days ago

in testing

5 days ago

days to stable

Builds

nodejs20-20.20.2-4.fc42

BZ#2453563 CVE-2026-21717 nodejs20: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions [fedora-all]

BZ#2453567 CVE-2026-21714 nodejs20: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames [fedora-all]

BZ#2453570 CVE-2026-21713 nodejs20: Node.js: Information disclosure via timing oracle in HMAC verification [fedora-all]

BZ#2453592 CVE-2026-21716 nodejs20: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. [fedora-all]

BZ#2453596 CVE-2026-21715 nodejs20: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions [fedora-all]

BZ#2453599 CVE-2026-21710 nodejs20: Node.js: Denial of Service due to crafted HTTP `__proto__` header [fedora-all]

nodejs20-20.20.2-4.fc42

Automated Test Results

passed