8.11 releases of node.js fixes the following CVEs:
CVE-2018-7158
CVE-2018-7159
CVE-2018-7160
ubuntu bionic package 8.10.0~dfsg-2 does not include those fixes.
package changelog is
nodejs (8.10.0~dfsg-2) experimental; urgency=medium
* Drop binutils dependency (Closes: #893841)
* Move repository to https://salsa.debian.org/js-team/nodejs.git
-- Jérémy Lal <email address hidden> Fri, 23 Mar 2018 09:30:55 +0100
nodejs (8.10.0~dfsg-1) experimental; urgency=medium
* New upstream version 8.10.0~dfsg
* Vcs-Git for that branch
* Remove openssl patches and others, applied upstream
* Depends icu 60.2
* Patch: build doc using node-js-yaml
* Build-Depends node-js-yaml
-- Jérémy Lal <email address hidden> Fri, 16 Mar 2018 10:25:24 +0100
[...]
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: nodejs (not installed)
ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
Uname: Linux 4.15.0-20-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Fri May 11 16:08:03 2018
InstallationDate: Installed on 2018-05-07 (3 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=fr_FR.UTF-8
SHELL=/bin/bash
SourcePackage: nodejs
UpgradeStatus: No upgrade log present (probably fresh install)
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/