Alerts This Week
Warning Icon 1 700
Alerts This Week
Warning Icon 1 700

Fedora 33: 2021-cbad295a90 Medium: Node.js HTTP Request Smuggling

fedora
Calendar Grey October 22, 2021
Dist Fedora Esm H88
The recent security patch for Node.js in Fedora 33 remedies vulnerabilities related to HTTP Request Smuggling. Ensure you upgrade to the latest release to maintain optimal protection.
## 2021-10-12, Version 14.18.1 'Fermium' (LTS), @danielleadams This is a security release

Summary

Node.js is a platform built on Chrome's JavaScript runtime

for easily building fast, scalable network applications.

Node.js uses an event-driven, non-blocking I/O model that

makes it lightweight and efficient, perfect for data-intensive

real-time applications that run across distributed devices.

## 2021-10-12, Version 14.18.1 'Fermium' (LTS), @danielleadams This is a

security release. ### Notable changes * **CVE-2021-22959**: HTTP Request

Smuggling due to spaced in headers (Medium) * The http parser accepts

requests with a space (SP) right after the header name before the colon. This

can lead to HTTP Request Smuggling (HRS). More details will be available at

[CVE-2021-22959](https://www.cve.org/CVERecord?id=CVE-2021-22959)

after publication. * **CVE-2021-22960**: HTTP Request Smuggling when parsing the

body (Medium) * The parse ignores chunk extensions when parsing the body of

chunked requests. This leads to HTTP Request Smuggling (HRS) under certain

conditions. More details will be available at

[CVE-2021-22960](https://www.cve.org/CVERecord?id=CVE-2021-22960)

after publication.

* Thu Oct 14 2021 Stephen Gallagher - 1:14.18.1-1

- Update to security release 14.18.1

-

[ 1 ] Bug #2014059 - CVE-2021-22960 llhttp: HTTP Request Smuggling when parsing the body

https://bugzilla.redhat.com/show_bug.cgi?id=2014059

su -c 'dnf upgrade --advisory FEDORA-2021-cbad295a90' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Topics%20covered

Topics Covered

security advisory security update fedora http smuggling medium threat nodejs

Change Log

References

Update Instructions

Severity
medium
Lowest
Low
Medium
High
Critical

Product: Fedora 33
Version: 14.18.1
Release: 1.fc33
URL: https://nodejs.org/en/
Summary: JavaScript runtime

Topics%20covered

Topics Covered

security advisory security update fedora http smuggling medium threat nodejs

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here