{"id":"MGASA-2024-0282","summary":"Updated nodejs & yarnpkg packages fix security vulnerabilities","details":"Nodejs 22 is the new active LTS branch and 5 CVE are fixed.\nCVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)\nCVE-2024-22020 - Bypass network import restriction via data URL (Medium)\nCVE-2024-22018 - fs.lstat bypasses permission model (Low)\nCVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)\nCVE-2024-37372 - Permission model improperly processes UNC paths (Low)\nyarn package is updated with npm 10.8.2\n","modified":"2026-02-04T02:17:26.087160Z","published":"2024-08-28T17:11:44Z","related":["CVE-2024-22018","CVE-2024-22020","CVE-2024-36137","CVE-2024-36138","CVE-2024-37372"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0282.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33415"},{"type":"REPORT","url":"https://github.com/nodejs/node/releases/tag/v22.6.0"},{"type":"REPORT","url":"https://github.com/nodejs/node/releases/tag/v22.5.1"},{"type":"REPORT","url":"https://github.com/nodejs/node/releases/tag/v22.5.0"},{"type":"REPORT","url":"https://github.com/nodejs/node/releases/tag/v22.4.1"},{"type":"REPORT","url":"https://github.com/nodejs/node/releases/tag/v22.3.0"},{"type":"REPORT","url":"https://github.com/nodejs/node/releases/tag/v22.2.0"},{"type":"REPORT","url":"https://github.com/nodejs/node/releases/tag/v22.1.0"},{"type":"REPORT","url":"https://github.com/nodejs/node/releases/tag/v22.0.0"},{"type":"REPORT","url":"https://github.com/yarnpkg/yarn/releases/tag/v1.22.22"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/nodejs?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"22.6.0-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0282.json"}},{"package":{"name":"yarnpkg","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/yarnpkg?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.22.22-0.10.8.2.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0282.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}