Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Mageia 8: 2021-0372 Critical Nodejs Update for ReDoS Attack

mageia
Calendar Grey July 25, 2021
Dist Mageia Esm H88
Mageia 8 nodejs patch addresses significant vulnerabilities in the y18n, hosted-git-info, and ssri libraries. Check for further information.
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5

Summary

This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true (CVE-2020-7774).
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity (CVE-2021-23362).
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option (CVE-2021-27290).
Theses issues are fixed by upgrading nodejs packages to latest available LTS 14.17.3 version. See upstream releases notes for other included bugfixes.

References

- https://bugs.mageia.org/show_bug.cgi?id=29028

- https://nodejs.org/en/blog/release/v14.17.0/

- https://nodejs.org/en/blog/release/v14.17.1/

- https://nodejs.org/en/blog/release/v14.17.2/

- https://nodejs.org/en/blog/release/v14.17.3/

- https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/

- https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/

- https://nodejs.org/en/blog/release/v14.16.1/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TE6GHYMCD4SLCPTFPANLIYWCPHXC4G5T/

- https://www.cve.org/CVERecord?id=CVE-2020-7774

- https://www.cve.org/CVERecord?id=CVE-2021-23362

- https://www.cve.org/CVERecord?id=CVE-2021-27290

Topics%20covered

Topics Covered

security advisory nodejs Mageia ReDoS y18n ssri hosted-git-info

Resolution

SRPMS

- 8/core/nodejs-14.17.3-1.mga8

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 25 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0372.html
Type: security
CVE: CVE-2020-7774, CVE-2021-23362, CVE-2021-27290

Topics%20covered

Topics Covered

security advisory nodejs Mageia ReDoS y18n ssri hosted-git-info

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here