#nodejs

### Impact When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is not properly checked against the current date or other `date` param. This can allow invocations outside of the original intended time period. A zcap still cannot be invoked without being able to use the associated private key material. ### Patches `@digitalbazaar/zcap` v9.0.1 fixes expiration checking. ### Workarounds A zcap could be revoked at any time. ### References https://github.com/digitalbazaar/zcap/pull/82

Red Hat Security Advisory 2024-1688-03 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, denial of service, privilege escalation, and traversal vulnerabilities.

Red Hat Security Advisory 2024-1687-03 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include bypass, denial of service, privilege escalation, and traversal vulnerabilities.

A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by this issue is the function `registerReceiver` of the file `android/src/main/java/ua/kyivstar/reactnativesmsuserconsent/SmsUserConsentModule.kt`. The manipulation leads to improper export of android application components. Attacking locally is a requirement. Upgrading to version 1.1.5 is able to address this issue. The name of the patch is 5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-259508.

By Deeba Ahmed New Byakugan Malware Steals Data, Grants Remote Access & Uses OBS Studio to Spy! Fortinet reveals a phishing campaign distributing Byakugan malware disguised as a PDF. Don't click! Learn how to stay safe. This is a post from HackRead.com Read the original post: Beware the Blur: Phishing Scam Drops Byakugan Malware via Fake PDF

Red Hat Security Advisory 2024-1678-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.

### Impact If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered. ### Patches Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds Ensure that `integrity` cannot be tampered with. ### References https://hackerone.com/reports/2377760

### Impact Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. ### Patches This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds use `fetch()` or disable `maxRedirections`. ### References Linzi Shang reported this. * https://hackerone.com/reports/2408074 * https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3

Red Hat Security Advisory 2024-1503-03 - An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service and privilege escalation vulnerabilities.

By Waqas Critical Backdoor Alert! Patch XZ Utils Now (CVE-2024-3094) & Secure Your Linux System. Learn how a hidden backdoor… This is a post from HackRead.com Read the original post: Backdoor Discovered in XZ Utils: Patch Your Systems Now (CVE-2024-3094)