Alerts This Week
Warning Icon 1 666
Alerts This Week
Warning Icon 1 666

Fedora 34: FEDORA-2021-9807b754d9 Medium Severity: HTTP Request Smuggling

fedora
Calendar Grey October 22, 2021
Dist Fedora Esm H88
Security patch for Fedora 34's Node.js tackling HTTP Request Smuggling vulnerabilities and delivering essential enhancements.
## 2021-10-12, Version 14.18.1 'Fermium' (LTS), @danielleadams This is a security release

Summary

Node.js is a platform built on Chrome's JavaScript runtime

for easily building fast, scalable network applications.

Node.js uses an event-driven, non-blocking I/O model that

makes it lightweight and efficient, perfect for data-intensive

real-time applications that run across distributed devices.

## 2021-10-12, Version 14.18.1 'Fermium' (LTS), @danielleadams This is a

security release. ### Notable changes * **CVE-2021-22959**: HTTP Request

Smuggling due to spaced in headers (Medium) * The http parser accepts

requests with a space (SP) right after the header name before the colon. This

can lead to HTTP Request Smuggling (HRS). More details will be available at

[CVE-2021-22959](https://www.cve.org/CVERecord?id=CVE-2021-22959)

after publication. * **CVE-2021-22960**: HTTP Request Smuggling when parsing the

body (Medium) * The parse ignores chunk extensions when parsing the body of

chunked requests. This leads to HTTP Request Smuggling (HRS) under certain

conditions. More details will be available at

[CVE-2021-22960](https://www.cve.org/CVERecord?id=CVE-2021-22960)

after publication.

* Thu Oct 14 2021 Stephen Gallagher - 1:14.18.1-1

- Update to security release 14.18.1

-

[ 1 ] Bug #2014059 - CVE-2021-22960 llhttp: HTTP Request Smuggling when parsing the body

https://bugzilla.redhat.com/show_bug.cgi?id=2014059

su -c 'dnf upgrade --advisory FEDORA-2021-9807b754d9' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Topics%20covered

Topics Covered

security advisory fedora update medium severity security release nodejs http request smuggling

Change Log

References

Update Instructions

Severity
medium
Lowest
Low
Medium
High
Critical

Product: Fedora 34
Version: 14.18.1
Release: 1.fc34
URL: https://nodejs.org/en/
Summary: JavaScript runtime

Topics%20covered

Topics Covered

security advisory fedora update medium severity security release nodejs http request smuggling

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here