ELSA-2025-1351

ULN >
Oracle Linux Errata repository >
ELSA-2025-1351

ELSA-2025-1351 - nodejs:20 security update

Type:	SECURITY
Severity:	IMPORTANT
Release Date:	2025-02-13

Description

nodejs
[1:20.18.2-1]
- Update to version 20.18.2
Fixes: CVE-2025-23083 CVE-2025-23085 CVE-2025-22150
Resolves: RHEL-76001 RHEL-76146

[1:20.16.0-1]
- Update to 20.16.0
Fixes: CVE-2024-36137 CVE-2024-22018 CVE-2024-22020

[1:20.12.2-2]
- Backport nghttp2 patch for CVE-2024-28182

[1:20.12.2-1]
- Rebase to version 20.12.0
Addresses CVE-2024-27983 CVE-2024-27982 CVE-2024-22025 (node)
Addresses CVE-2024-25629 (c-ares)

[1:20.11.1-1]
- Rebase to version 20.11.1
- Fixes: CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 (high)
- Fixes: CVE-2023-46809 CVE-2024-21890 CVE-2024-21891 (medium)

[1:20.11.0-1]
- Rebase to version 20.11.0
- Resolves: RHEL-21434

[1:20.9.0-1]
- Rebase to LTS
- Resolves: RHEL-16159

[1:20.8.1-1]
- Update node and nghttp
- Add fips patch
- Fixes CVE-2023-44487 (nghttp)
- Fixes CVE-2023-45143, CVE-2023-39331, CVE-2023-39332, CVE-2023-38552, CVE-2023-39333

[1:20.5.1-1]
- Rebase to new security release
- Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high)
- Address CVE-2023-32006, CVE-2023-32559 (medium)
- Address CVE-2023-32005, CVE-2023-32003 (low)
- Resolves: #2186718
- Resolves RHELPLAN-155624

[1:20.5.0-1]
- Update to v20.5.0
- Remove dtrace support
- bcond corepack, so we don't provide it by default
- Decrease debuginfo verbosity for all arches
- Resolves: #2186718
- Resolves RHELPLAN-155624

[1:18.16.1-1]
- Rebase to 18.16.1
Resolves: rhbz#2188290 rhbz#2166926
Resolves: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
- Replace /usr/etc/npmrc symlink with builtin configuration
Resolves: rhbz#2222287

[1:18.14.2-3]
- Update bundled c-ares to 1.19.1
Resolves: CVE-2022-4904
Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067

[1:18.14.2-2]
- Provide simduft

[1:18.14.2-1]
- Rebase to 18.14.2
- Resolves: #2178086
- Resolves: CVE-2022-25881, CVE-2023-23936, CVE-2023-24807
- Resolves: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920

[1:18.12.1-2]
- Update version of bundled histogram

[1:18.12.1-1]
- Rebase to version 18.12.1
Resolves: rhbz#2125580 CVE-2022-43548 CVE-2022-3517

[1:18.9.1-1]
- Rebase to version 18.9.1
Resolves: CVE-2022-35255 CVE-2022-35256

[1:18.8.0-1]
- Rebase to version 18.8.0
- Include sources for WASM blobs

[1:18.6.0-1]
- Rebase to version 18.6.0
Resolves: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215
Resolves: CVE-2022-29244

[1:18.2.0-1]
- Rebase to version 18.2.0

[1:16.14.0-5]
- Unify configure calls into single command
- Refactor bootstrap-related parts
- Decouple dependency bundling from bootstrapping

[1:16.14.0-4]
- Apply lock file validation fixes
- Resolves: CVE-2021-43616
- Resolves: RHBZ#2070013

[1:16.13.1-3]
- Resolves: RHBZ#2026329
- Add corepack to spec

[1:16.13.1-2]
- Resolves: RHBZ#2026329
- Update npm version test

[1:16.13.1-1]
- Resolves: RHBZ#2014132, RHBZ#2014126, RHBZ#2013828, RHBZ#2024920
- Resolves: RHBZ#2026329
- Rebase to LTS release and to fix multiple low and medium CVEs

[1:16.8.0-1]
- Resolves CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712
- Resolves: RHBZ#1993948, RHBZ#1993941, RHBZ#2000151, RHBZ#2002176

[1:16.7.0-2]
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,
- CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
- Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810
- Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963
- fix python3 in gyp

[1:16.7.0-1]
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,
- CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
- Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810
- Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963

[1:16.4.2-1]
- Resolves: RHBZ#1979847
- Resolves CVE-2021-22918(libuv)
- Use system cipher list(1842826, 1952915)

[1:16.1.0-1]
- Resolves: RHBZ#1953991
- Rebase to v16.x
- Update version of gcc and gcc-c++ needed
- Remove libs conditionals
- Remove unused patches
- Bundle nghttp3 and ngtcp2

[1:14.16.0-2]
- Resolves RHBZ#1930775
- remove --debug-nghttp2 option

[1:14.16.0-1]
- Resolves CVE-2021-22883 CVE-2021-22884
- Resolves: RHBZ#1934566, RHBZ#1934599
- Rebase, remove ini patch

[1:14.15.4-2]
- Add patch for yarn crash
- Resolves: RHBZ#1915296

[1:14.15.4-1]
- Security rebase to 14.15.4
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
- Resolves: RHBZ#1913001, RHBZ#1912953
- Resolves: RHBZ#1912636, RHBZ#1898602, RHBZ#1898768, RHBZ#1893987, RHBZ#1893184

[1:14.15.0-1]
- Resolves: RHBZ#1858864
- Update to LTS release

[1:14.11.0-1]
- Security update to 14.11.0

[1:14.4.0-1]
- Security update to 14.4.0
- Resolves: RHBZ#1815402

[1:14.3.0-1]
- Update to 14.3.0
- Fix optflags to save memory
- Resolves: RHBZ#1815402

[1:14.2.0-1]
- Update to 14.2.0
- build with python3 only
- some clean up

[1:12.16.1-2]
- Fix CVE-2020-10531

[1:12.16.1-1]
- Rebase to 12.16.1

[1:12.14.1-1]
- Rebase to 12.14.1

[1:12.13.1-1]
- Resolves: RHBZ# 1773503, update to 12.13.1
- minor clean up and sync with Fedora spec
- turn off debug builds

[1:12.4.0-2]
- Add condition to libs

[1:12.4.0-1]
- Update to v12.x
- Add v8-devel and libs subpackages from fedora

[1:10.14.1-2]
- move nodejs-packaging BR out of conditional

[1:10.14.1-1]
- Resolves RHBZ#1644207
- fixes node-gyp permissions
- rebase

[1:10.11.0-2]
- BuildRequire nodejs-packaging for proper npm dependency generation
- Resolves: rhbz#1615947

[1:10.11.0-1]
- Rebase to 10.11.0
- Import changes from fedora
- Resolves: rhbz#1621766

[1:10.7.0-5]
- Import sources from fedora
- Allow using python2 at %build and %install
- turn off debug for aarch64

[1:10.7.0-4]
- Fix npm upgrade scriptlet
- Fix unexpected trailing .1 in npm release field

[1:10.7.0-3]
- Restore annotations to binaries
- Fix unexpected trailing .1 in release field

[1:10.7.0-2]
- Update to 10.7.0
- https://nodejs.org/en/blog/release/v10.7.0/
- https://nodejs.org/en/blog/release/v10.6.0/

[1:10.5.0-1.1]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

[1:10.5.0-1]
- Update to 10.5.0
- https://nodejs.org/en/blog/release/v10.5.0/

[1:10.4.1-1]
- Update to 10.4.1 to address security issues
- https://nodejs.org/en/blog/release/v10.4.1/
- Resolves: rhbz#1590801
- Resolves: rhbz#1591014
- Resolves: rhbz#1591019

[1:10.4.0-1]
- Update to 10.4.0
- https://nodejs.org/en/blog/release/v10.4.0/

[1:10.3.0-1]
- Update to 10.3.0
- Update npm to 6.1.0
- https://nodejs.org/en/blog/release/v10.3.0/

[1:10.2.1-2]
- Fix up bare 'python' to be python2
- Drop redundant entry in docs section

[1:10.2.1-1]
- Update to 10.2.1
- https://nodejs.org/en/blog/release/v10.2.1/

[1:10.2.0-1]
- Update to 10.2.0
- https://nodejs.org/en/blog/release/v10.2.0/

[1:10.1.0-3]
- Fix incorrect rpm macro

[1:10.1.0-2]
- Include upstream v8 fix for ppc64[le]
- Disable debug build on ppc64[le] and s390x

[1:10.1.0-1]
- Update to 10.1.0
- https://nodejs.org/en/blog/release/v10.1.0/
- Reenable node_g binary

[1:10.0.0-1]
- Update to 10.0.0
- https://nodejs.org/en/blog/release/v10.0.0/
- Drop workaround patch
- Temporarily drop node_g binary due to
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85587

[1:9.11.1-2]
- Use standard Fedora linker flags (bug #1543859)

[1:9.11.1-1]
- Update to 9.11.1
- https://nodejs.org/en/blog/release/v9.11.0/
- https://nodejs.org/en/blog/release/v9.11.1/

[1:9.10.0-1]
- Update to 9.10.0
- https://nodejs.org/en/blog/release/v9.10.0/

[1:9.9.0-1]
- Update to 9.9.0
- https://nodejs.org/en/blog/release/v9.9.0/

[1:9.8.0-1]
- Update to 9.8.0
- https://nodejs.org/en/blog/release/v9.8.0/

[1:9.7.0-1]
- Update to 9.7.0
- https://nodejs.org/en/blog/release/v9.7.0/
- Work around F28 build issue

[1:9.6.1-1]
- Update to 9.6.1
- https://nodejs.org/en/blog/release/v9.6.1/
- https://nodejs.org/en/blog/release/v9.6.0/

[1:9.5.0-1]
- Package Node.js 9.5.0

[1:8.9.4-2]
- Fix incorrect Requires:

[1:8.9.4-1]
- Update to 8.9.4
- https://nodejs.org/en/blog/release/v8.9.4/
- Switch to system copy of nghttp2

[1:8.9.3-2]
- Update to 8.9.3
- https://nodejs.org/en/blog/release/v8.9.3/
- https://nodejs.org/en/blog/release/v8.9.2/

[1:8.9.1-2]
- Rebuild for ICU 60.1

[1:8.9.1-1]
- Update to 8.9.1

[1:8.9.0-1]
- Update to 8.9.0
- Drop upstreamed patch

[1:8.8.1-1]
- Update to 8.8.1 to fix a regression

[1:8.8.0-1]
- Security update to 8.8.0
- https://nodejs.org/en/blog/release/v8.8.0/

[1:8.7.0-1]
- Update to 8.7.0
- https://nodejs.org/en/blog/release/v8.7.0/

[1:8.6.0-2]
- Use bcond macro instead of bootstrap conditional

[1:8.6.0-1]
- Fix nghttp2 version
- Update to 8.6.0
- https://nodejs.org/en/blog/release/v8.6.0/

[1:8.5.0-3]
- Build with bootstrap + bundle libuv for modularity
- backport patch for aarch64 debug build

[1:8.5.0-2]
- Disable debug builds on aarch64 due to https://github.com/nodejs/node/issues/15395

[1:8.5.0-1]
- Update to v8.5.0
- https://nodejs.org/en/blog/release/v8.5.0/

[1:8.4.0-2]
- Refactor openssl BR

[1:8.4.0-1]
- Update to v8.4.0
- https://nodejs.org/en/blog/release/v8.4.0/
- http2 is now supported, add bundled nghttp2
- remove openssl 1.0.1 patches, we won't be using them in fedora

[1:8.3.0-1]
- Update to v8.3.0
- https://nodejs.org/en/blog/release/v8.3.0/
- update V8 to 6.0
- update minimal gcc and g++ requirements to 4.9.4

[1:8.2.1-2]
- Bump release to fix broken dependencies

[1:8.2.1-1.2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

[1:8.2.1-1.1]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

[1:8.2.1-1]
- Update to v8.2.1
- https://nodejs.org/en/blog/release/v8.2.1/

[1:8.2.0-1]
- Update to v8.2.0
- https://nodejs.org/en/blog/release/v8.2.0/
- Update npm to 5.3.0
- Adds npx command

[1:8.1.4-3]
- s/BuildRequires/Requires/ for http-parser-devel%{?_isa}

[1:8.1.4-2]
- Rename python-devel to python2-devel
- own %{_pkgdocdir}/npm

[1:8.1.4-1]
- Update to v8.1.4
- https://nodejs.org/en/blog/release/v8.1.4/
- Drop upstreamed c-ares patch

[1:8.1.3-1]
- Update to v8.1.3
- https://nodejs.org/en/blog/release/v8.1.3/

[1:8.1.2-1]
- Update to v8.1.2
- remove GCC 7 patch, as it is now fixed in node >= 6.12

nodejs-nodemon
nodejs-packaging

Related CVEs

CVE-2025-23083

CVE-2025-23085

CVE-2025-22150

Updated Packages

Release/Architecture	Filename	MD5sum	Superseded By Advisory	Channel Label

Oracle Linux 8 (aarch64)	nodejs-20.18.2-1.module+el8.10.0+90510+29816cee.src.rpm	aba0e62a39827103b71eb0e7dcb74462	-	ol8_aarch64_appstream
	nodejs-nodemon-3.0.1-1.module+el8.10.0+90510+29816cee.src.rpm	62f9bb9ea7397168231896b5b5121e65	-	ol8_aarch64_appstream
	nodejs-packaging-2021.06-4.module+el8.10.0+90510+29816cee.src.rpm	532d9bbb4c6339f1110554333d405c7f	-	ol8_aarch64_appstream
	nodejs-20.18.2-1.module+el8.10.0+90510+29816cee.aarch64.rpm	9473ea42165c95f60cc675b283ecb839	-	ol8_aarch64_appstream
	nodejs-devel-20.18.2-1.module+el8.10.0+90510+29816cee.aarch64.rpm	f7f193e8dc43641385876ab78c4669de	-	ol8_aarch64_appstream
	nodejs-docs-20.18.2-1.module+el8.10.0+90510+29816cee.noarch.rpm	11e61b0f50481670cea5b2d86575a34a	-	ol8_aarch64_appstream
	nodejs-full-i18n-20.18.2-1.module+el8.10.0+90510+29816cee.aarch64.rpm	8548fa5f653d3308cc8c18328050a347	-	ol8_aarch64_appstream
	nodejs-nodemon-3.0.1-1.module+el8.10.0+90510+29816cee.noarch.rpm	98115b99f536ed6f53e0341112a976b0	-	ol8_aarch64_appstream
	nodejs-packaging-2021.06-4.module+el8.10.0+90510+29816cee.noarch.rpm	80e292248761462077fa9cb909524e87	-	ol8_aarch64_appstream
	nodejs-packaging-bundler-2021.06-4.module+el8.10.0+90510+29816cee.noarch.rpm	67fe34dfbd67db9c65ae2b192e9f8c8e	-	ol8_aarch64_appstream
	npm-10.8.2-1.20.18.2.1.module+el8.10.0+90510+29816cee.aarch64.rpm	957456b9307266c0afa957dc65dac1cc	-	ol8_aarch64_appstream

Oracle Linux 8 (x86_64)	nodejs-20.18.2-1.module+el8.10.0+90510+29816cee.src.rpm	aba0e62a39827103b71eb0e7dcb74462	-	ol8_x86_64_appstream
	nodejs-nodemon-3.0.1-1.module+el8.10.0+90510+29816cee.src.rpm	62f9bb9ea7397168231896b5b5121e65	-	ol8_x86_64_appstream
	nodejs-packaging-2021.06-4.module+el8.10.0+90510+29816cee.src.rpm	532d9bbb4c6339f1110554333d405c7f	-	ol8_x86_64_appstream
	nodejs-20.18.2-1.module+el8.10.0+90510+29816cee.x86_64.rpm	53f634ce908bfc64e6001a195faaa9bb	-	ol8_x86_64_appstream
	nodejs-devel-20.18.2-1.module+el8.10.0+90510+29816cee.x86_64.rpm	18c9cace82e2feab6c84ecaf2a4e911d	-	ol8_x86_64_appstream
	nodejs-docs-20.18.2-1.module+el8.10.0+90510+29816cee.noarch.rpm	11e61b0f50481670cea5b2d86575a34a	-	ol8_x86_64_appstream
	nodejs-full-i18n-20.18.2-1.module+el8.10.0+90510+29816cee.x86_64.rpm	4d99651d51de3f7b72f8458da7d3db56	-	ol8_x86_64_appstream
	nodejs-nodemon-3.0.1-1.module+el8.10.0+90510+29816cee.noarch.rpm	98115b99f536ed6f53e0341112a976b0	-	ol8_x86_64_appstream
	nodejs-packaging-2021.06-4.module+el8.10.0+90510+29816cee.noarch.rpm	80e292248761462077fa9cb909524e87	-	ol8_x86_64_appstream
	nodejs-packaging-bundler-2021.06-4.module+el8.10.0+90510+29816cee.noarch.rpm	67fe34dfbd67db9c65ae2b192e9f8c8e	-	ol8_x86_64_appstream
	npm-10.8.2-1.20.18.2.1.module+el8.10.0+90510+29816cee.x86_64.rpm	52b1332b13a8265e3384bff613a9765a	-	ol8_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

Oracle customers - enter a support request
Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691