On Tue, 2026-01-13 at 20:44 -0500, Jan Schaumann wrote: > Alan Coopersmith <[email protected]> wrote: > > > The node.js team has also published a much more in-depth discussion > > at: > > https://nodejs.org/en/blog/vulnerability/january-2026-dos-mitigation-async-hooks > > Thanks for that - this link would have been useful for > the NodeJS team to share on their nodejs-sec mailing > list. > > > with a shorter intro in the thread starting at: > > https://x.com/matteocollina/status/2011137343323865196 > > Here's a link that doesn't require an account on, uhm, > _that_ platform: > > https://nitter.net/matteocollina/status/2011137343323865196#m > > -Jan Do we know if older releases are available?
The analysis seems to be ... inconsistent on this * The NodeJS blog post does not mention old releases * The Hacker News indicates versions from 8.x and up are all affected https://thehackernews.com/2026/01/critical-nodejs-vulnerability-can-cause.html * SUSE thinks versions 20 and below are not affected https://www.suse.com/security/cve/CVE-2025-59466.html * I can't find a RHEL security advisory yet, but el9/c9s ships NodeJS 16 as a normal 'ursine' RPM and maintained versions are only shipped as modular RPMs in streams (thankfully EL10 does away with modularity) RHEL/CentOS's nodejs 16 does seem to get CVE fixes backported in 2024, after that branch has gone EOL - https://gitlab.com/redhat/centos-stream/rpms/nodejs/-/commits/c9s?ref_type=heads Best regards, -- _o) Michel Lind _( ) https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 README: https://fedoraproject.org/wiki/User:Salimma#README
signature.asc
Description: This is a digitally signed message part
