USN-6735-1

It was discovered that Node.js incorrectly handled the use of invalid public keys while creating an x509 certificate. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.10. (CVE-2023-30588)

It was discovered that Node.js incorrectly handled the use of CRLF sequences to delimit HTTP requests. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain unauthorised access. This issue only affected Ubuntu 23.10. (CVE-2023-30589)

It was discovered that Node.js incorrectly described the generateKeys() function in the documentation. This inconsistency could possibly lead to security issues in applications that use these APIs. (CVE-2023-30590)

References

Affected packages

Ubuntu:Pro:14.04:LTS / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@0.10.25~dfsg2-2ubuntu1.2+esm2?arch=source&distro=trusty/esm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.10.25~dfsg2-2ubuntu1.2+esm2

Affected versions

0.*

0.10.15~dfsg1-4

0.10.21~dfsg1-1

0.10.22~dfsg1-2

0.10.23~dfsg1-1

0.10.23~dfsg1-2

0.10.23~dfsg1-3

0.10.24~dfsg1-1

0.10.25~dfsg2-2

0.10.25~dfsg2-2ubuntu1

0.10.25~dfsg2-2ubuntu1.2

0.10.25~dfsg2-2ubuntu1.2+esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "nodejs",
            "binary_version": "0.10.25~dfsg2-2ubuntu1.2+esm2"
        },
        {
            "binary_name": "nodejs-dev",
            "binary_version": "0.10.25~dfsg2-2ubuntu1.2+esm2"
        },
        {
            "binary_name": "nodejs-legacy",
            "binary_version": "0.10.25~dfsg2-2ubuntu1.2+esm2"
        }
    ]
}

Database specific

cves_map

{
    "ecosystem": "Ubuntu:Pro:14.04:LTS",
    "cves": [
        {
            "id": "CVE-2023-30590",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}

Ubuntu:Pro:16.04:LTS / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@4.2.6~dfsg-1ubuntu4.2+esm3?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.6~dfsg-1ubuntu4.2+esm3

Affected versions

0.*

0.10.25~dfsg2-2ubuntu1

4.*

4.2.2~dfsg-1

4.2.3~dfsg-1

4.2.4~dfsg-1ubuntu1

4.2.4~dfsg-2

4.2.6~dfsg-1ubuntu1

4.2.6~dfsg-1ubuntu4

4.2.6~dfsg-1ubuntu4.1

4.2.6~dfsg-1ubuntu4.2

4.2.6~dfsg-1ubuntu4.2+esm1

4.2.6~dfsg-1ubuntu4.2+esm2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "nodejs",
            "binary_version": "4.2.6~dfsg-1ubuntu4.2+esm3"
        },
        {
            "binary_name": "nodejs-dev",
            "binary_version": "4.2.6~dfsg-1ubuntu4.2+esm3"
        },
        {
            "binary_name": "nodejs-legacy",
            "binary_version": "4.2.6~dfsg-1ubuntu4.2+esm3"
        }
    ]
}

Database specific

cves_map

{
    "ecosystem": "Ubuntu:Pro:16.04:LTS",
    "cves": [
        {
            "id": "CVE-2023-30590",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}

Ubuntu:Pro:18.04:LTS / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@8.10.0~dfsg-2ubuntu0.4+esm5?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.10.0~dfsg-2ubuntu0.4+esm5

Affected versions

6.*

6.11.4~dfsg-1ubuntu1

6.11.4~dfsg-1ubuntu2

6.12.0~dfsg-1ubuntu1

6.12.0~dfsg-2ubuntu1

6.12.0~dfsg-2ubuntu2

8.*

8.10.0~dfsg-2

8.10.0~dfsg-2ubuntu0.2

8.10.0~dfsg-2ubuntu0.3

8.10.0~dfsg-2ubuntu0.4

8.10.0~dfsg-2ubuntu0.4+esm1

8.10.0~dfsg-2ubuntu0.4+esm2

8.10.0~dfsg-2ubuntu0.4+esm3

8.10.0~dfsg-2ubuntu0.4+esm4

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "nodejs",
            "binary_version": "8.10.0~dfsg-2ubuntu0.4+esm5"
        },
        {
            "binary_name": "nodejs-dev",
            "binary_version": "8.10.0~dfsg-2ubuntu0.4+esm5"
        }
    ]
}

Database specific

cves_map

{
    "ecosystem": "Ubuntu:Pro:18.04:LTS",
    "cves": [
        {
            "id": "CVE-2023-30590",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}

Ubuntu:20.04:LTS / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@10.19.0~dfsg-3ubuntu1.6?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.19.0~dfsg-3ubuntu1.6

Affected versions

10.*

10.15.2~dfsg-2ubuntu1

10.17.0~dfsg-2ubuntu4

10.17.0~dfsg-2ubuntu6

10.19.0~dfsg-3ubuntu1

10.19.0~dfsg-3ubuntu1.1

10.19.0~dfsg-3ubuntu1.2

10.19.0~dfsg-3ubuntu1.3

10.19.0~dfsg-3ubuntu1.5

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "libnode-dev",
            "binary_version": "10.19.0~dfsg-3ubuntu1.6"
        },
        {
            "binary_name": "libnode64",
            "binary_version": "10.19.0~dfsg-3ubuntu1.6"
        },
        {
            "binary_name": "nodejs",
            "binary_version": "10.19.0~dfsg-3ubuntu1.6"
        }
    ]
}

Database specific

cves_map

{
    "ecosystem": "Ubuntu:20.04:LTS",
    "cves": [
        {
            "id": "CVE-2023-30590",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}

Ubuntu:22.04:LTS / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@12.22.9~dfsg-1ubuntu3.5?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.22.9~dfsg-1ubuntu3.5

Affected versions

12.*

12.22.5~dfsg-5ubuntu1

12.22.7~dfsg-2ubuntu1

12.22.7~dfsg-2ubuntu3

12.22.9~dfsg-1ubuntu2

12.22.9~dfsg-1ubuntu3

12.22.9~dfsg-1ubuntu3.1

12.22.9~dfsg-1ubuntu3.2

12.22.9~dfsg-1ubuntu3.3

12.22.9~dfsg-1ubuntu3.4

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "libnode-dev",
            "binary_version": "12.22.9~dfsg-1ubuntu3.5"
        },
        {
            "binary_name": "libnode72",
            "binary_version": "12.22.9~dfsg-1ubuntu3.5"
        },
        {
            "binary_name": "nodejs",
            "binary_version": "12.22.9~dfsg-1ubuntu3.5"
        }
    ]
}

Database specific

cves_map

{
    "ecosystem": "Ubuntu:22.04:LTS",
    "cves": [
        {
            "id": "CVE-2023-30590",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}