I need to install nodejs10 on a CentOS 7 box - so I tried using SCL to achieve this goal:
#yum install centos-release-scl-rh
#yum install rh-nodejs10
#scl enable rh-nodejs10 bash
#node -v
v10.10.0
So this version is not the most recent, but if all necessary patches are applied this should be OK.
Based on Red Hat Software Collections Product Life Cycle the Support is from Nov 2018 to Apr 2021 so I would expect everything is fine.
So I tried to find out which version / what patches are applied. Because rh-nodejs10 is a meta-rpm (?) I queried the rpm-db for information about the installed packages / dependencies and displayed the infos.
# rpm -qiRl rh-nodejs10
Name : rh-nodejs10
Version : 3.2
Release : 2.el7
Architecture: x86_64
Install Date: Sa 04 Mai 2019 12:43:55 CEST
Group : Unspecified
Size : 0
..
Source RPM : rh-nodejs10-3.2-2.el7.src.rpm
Build Date : Di 30 Okt 2018 14:17:17 CET
Packager : CBS <cbs@centos.org>
Vendor : CentOS
Summary : rh-nodejs10 Software Collection
Description :
This is the main package for rh-nodejs10 Software Collection.
rh-nodejs10-runtime
rh-nodejs10-nodejs
rh-nodejs10-npm
So the main package was build end of Oct 2018. The rh-nodejs10-nodejs was build on Nov. 2018 and is based on the source package rh-nodejs10-nodejs-10.10.0-2.el7.src.rpm.
My Question is: Was there any update since November for this package?
When I searched for CVEs I found something on NodeJS homepage which says NodeJS10 is vulnerable for CVE-2019-5737. The text says:
"This vulnerability is an extension of CVE-2018-12121, addressed in November, 2018. The 40 second timeout and its adjustment by server.headersTimeout apply to this fix as in CVE-2018-12121."
As non-native speaker I would guess an already patched system against CVE-2018-12121 is unvulnerable?
If so: Is the needed patch applied in the SCL-Version?
rpm -q --changelog rh-nodejs10-nodejs | less
* Mi Okt 31 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 10.10.0-2
- Resolves: RHBZ#1584252
- comment out native.req file to prevent conflict with other Node.js
- installations (rhbz#1637922)
* Fr Sep 14 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 10.10.0-1
- rebase to v10.10.0
- update patches for openssl
- TODO: remove useless comments, fix failing tests, update bundled provides
Last entry is from Oct / 2018. So I guess not patched?
Regards Markus
