Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 547
Alerts This Week
Warning Icon 1 547

Fedora 35: 2022-0eda327cb4 Medium: Nodejs URI Issues Resolved

fedora
Calendar Grey January 20, 2022
Dist Fedora Esm H88
Fedora release for nodejs 16.13.2 addresses several security vulnerabilities, notably in URI processing and certificate validation.
## 2022-01-10, Version 16.13.2 'Gallium' (LTS), @danielleadams This is a security release

Summary

Node.js is a platform built on Chrome's JavaScript runtime

for easily building fast, scalable network applications.

Node.js uses an event-driven, non-blocking I/O model that

makes it lightweight and efficient, perfect for data-intensive

real-time applications that run across distributed devices.

## 2022-01-10, Version 16.13.2 'Gallium' (LTS), @danielleadams This is a

security release. ### Notable changes #### Improper handling of URI Subject

Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject

Alternative Name (SAN) types, unless a PKI is specifically defined to use a

particular SAN type, can result in bypassing name-constrained intermediates.

Node.js was accepting URI SAN types, which PKIs are often not defined to use.

Additionally, when a protocol allows URI SANs, Node.js did not match the URI

correctly. Versions of Node.js with the fix for this disable the URI SAN type

when checking a certificate against a hostname. This behavior can be reverted

through the `--security-revert` command-line option. More details will be

available at [CVE-2021-44531](https://www.cve.org/CVERecord?id=CVE-2021-44531) after publication. #### Certificate

Verification Bypass via String Injection (Medium)(CVE-2021-44532) Node.js

converts SANs (Subject Alternative Names) to a string format. It uses this

string to check peer certificates against hostnames when validating connections.

The string format was subject to an injection vulnerability when name

constraints were used within a certificate chain, allowing the bypass of these

name constraints. Versions of Node.js with the fix for this escape SANs

containing the problematic characters in order to prevent the injection. This

behavior can be reverted through the `--security-revert` command-line option.

More details will be available at [CVE-2021-44532](https://www.cve.org/CVERecord?id=CVE-2021-44532) after publication. #### Incorrect handling

of certificate subject and issuer fields (Medium)(CVE-2021-44533) Node.js did

not handle multi-value Relative Distinguished Names correctly. Attackers could

craft certificate subjects containing a single-value Relative Distinguished Name

that would be interpreted as a multi-value Relative Distinguished Name, for

example, in order to inject a Common Name that would allow bypassing the

certificate subject verification. Affected versions of Node.js do not accept

multi-value Relative Distinguished Names and are thus not vulnerable to such

attacks themselves. However, third-party code that uses node's ambiguous

presentation of certificate subjects may be vulnerable. More details will be

available at [CVE-2021-44533](https://www.cve.org/CVERecord?id=CVE-2021-44533) after publication. #### Prototype

pollution via `console.table` properties (Low)(CVE-2022-21824) Due to the

formatting logic of the `console.table()` function it was not safe to allow user

controlled input to be passed to the `properties` parameter while simultaneously

passing a plain object with at least one property as the first parameter, which

could be `__proto__`. The prototype pollution has very limited control, in that

it only allows an empty string to be assigned numerical keys of the object

prototype. Versions of Node.js with the fix for this use a null protoype for

the object these properties are being assigned to. More details will be

available at [CVE-2022-21824](https://www.cve.org/CVERecord?id=CVE-2022-21824) after publication. Thanks to Patrik

Oldsberg (rugvip) for reporting this vulnerability.

* Tue Jan 11 2022 Stephen Gallagher - 1:16.13.2-1

- Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

- Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

- Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

- Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)

* Thu Dec 2 2021 Stephen Gallagher - 1:16.13.1-2

- Enable building for EPEL 8 modules

* Thu Dec 2 2021 Stephen Gallagher - 1:16.13.1-1

- Update to 16.13.1

-

[ 1 ] Bug #2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names

https://bugzilla.redhat.com/show_bug.cgi?id=2040839

[ 2 ] Bug #2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection

https://bugzilla.redhat.com/show_bug.cgi?id=2040846

[ 3 ] Bug #2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields

https://bugzilla.redhat.com/show_bug.cgi?id=2040856

[ 4 ] Bug #2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties

https://bugzilla.redhat.com/show_bug.cgi?id=2040862

su -c 'dnf upgrade --advisory FEDORA-2022-0eda327cb4' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Change Log

References

Update Instructions

Severity
medium
Lowest
Low
Medium
High
Critical

Product: Fedora 35
Version: 16.13.2
Release: 1.fc35
Summary: JavaScript runtime

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.