How do i update node.js in zammad 6.3

Hello,

I am using version 6.3 on a RHEL8. It seems that in this version node.js is used in a version with security vulnerabilities.
How do I find out which versions of node.js are installed? (I used the package installation.) How do I update the version without getting problems with my zammad installation?

regards
Roberto

/opt/zammad/bin/node -v

v20.9.0

This version has the following security findings:
CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)

CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)

CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)

CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)

CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium

CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)

CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)

CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)

I should upgrade to version 20.11.1
How can I do this without breaking the system?

The following is technically possible but not update safe nor recommended. Any issue occurring to this action is solely your issue.

Thank you for your answer.

I will first change the permissions so that node is no longer executable. Let’s see if that’s enough for the auditor.

This topic was automatically closed 360 days after the last reply. New replies are no longer allowed.