Improper handling of URI Subject Alternative Names (Medium). Accepting
arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically
defined to use a particular SAN type, can result in bypassing
name-constrained intermediates. Node.js was accepting URI SAN types, which
PKIs are often not defined to use. Additionally, when a protocol allows URI
SANs, Node.js did not match the URI correctly. Versions of Node.js with the
fix for this disable the URI SAN type when checking a certificate against a
hostname. This behavior can be reverted through the --security-revert
command-line option. (CVE-2021-44531)
Node.js converts SANs (Subject Alternative Names) to a string format. It
uses this string to check peer certificates against hostnames when validating
connections. The string format was subject to an injection vulnerability when
name constraints were used within a certificate chain, allowing the bypass of
these name constraints. Versions of Node.js with the fix for this esc...
- https://bugs.mageia.org/show_bug.cgi?id=29872
- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
- https://nodejs.org/en/blog/release/v16.13.2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IVGBTAQ3N7X3RJRMPD3QZXD76V4HSOEP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GUMNNY6AYZUDPQ3DHTM3JZST2C37ZYJB/
- https://www.cve.org/CVERecord?id=CVE-2021-44531
- https://www.cve.org/CVERecord?id=CVE-2021-44532
- https://www.cve.org/CVERecord?id=CVE-2021-44533
- https://www.cve.org/CVERecord?id=CVE-2022-21824
- 8/core/nodejs-14.18.3-2.1.mga8
Get the latest Linux and open source security news straight to your inbox.