Mageia alert MGASA-2026-0071 (nodejs)
| From: | Mageia Updates <updates-announce@ml.mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2026-0071: Updated nodejs packages fix security vulnerabilities | |
| Date: | Sat, 28 Mar 2026 08:27:00 +0100 | |
| Message-ID: | <20260328072701.0827E9F997@duvel.mageia.org> | |
| Archive-link: | Article |
MGASA-2026-0071 - Updated nodejs packages fix security vulnerabilities Publication date: 28 Mar 2026 URL: https://advisories.mageia.org/MGASA-2026-0071.html Type: security Affected Mageia releases: 9 CVE: CVE-2026-21637, CVE-2026-21710, CVE-2026-21713, CVE-2026-21714, CVE-2026-21715, CVE-2026-21716, CVE-2026-21717 Description: Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS. (CVE-2026-21637) Denial of Service via __proto__ header name in req.headersDistinct (Uncaught TypeError crashes Node.js process). (CVE-2026-21710) Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery. (CVE-2026-21713) Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion. (CVE-2026-21714) Permission Model Bypass in realpathSync.native Allows File Existence Disclosure. (CVE-2026-21715) CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown. (CVE-2026-21716) HashDoS in V8. (CVE-2026-21717) References: - https://bugs.mageia.org/show_bug.cgi?id=35270 - https://nodejs.org/en/blog/vulnerability/march-2026-secur... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2... SRPMS: - 9/core/nodejs-22.22.2-1.mga9