Mageia 2022-0294: nodejs security update | LinuxSecurity.com

Advisories

MGASA-2022-0294 - Updated nodejs packages fix security vulnerability

Publication date: 25 Aug 2022
URL: https://advisories.mageia.org/MGASA-2022-0294.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-43616,
     CVE-2022-32212,
     CVE-2022-32213,
     CVE-2022-32214,
     CVE-2022-32215,
     CVE-2022-32222

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an
installation even if dependency information in package-lock.json differs
from package.json. This behavior is inconsistent with the documentation,
and makes it easier for attackers to install malware that was supposed to
have been blocked by an exact version match requirement in
package-lock.json. (CVE-2021-43616)

DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)

HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding
(CVE-2022-32213)

HTTP Request Smuggling - Improper Delimiting of Header Fields
(CVE-2022-32214)

HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding
(CVE-2022-32215)

Attempt to read openssl.cnf from /home/iojs/build/ upon startup
(CVE-2022-32222)

References:
- https://bugs.mageia.org/show_bug.cgi?id=30078
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://github.com/nodejs/node/releases/tag/v14.19.0
- https://github.com/nodejs/node/releases/tag/v14.19.1
- https://github.com/nodejs/node/releases/tag/v14.19.2
- https://github.com/nodejs/node/releases/tag/v14.19.3
- https://github.com/nodejs/node/releases/tag/v14.20.0
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43616
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32222

SRPMS:
- 8/core/nodejs-14.20.0-1.1.mga8

Mageia 2022-0294: nodejs security update

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json

Summary

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. (CVE-2021-43616)
DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)
HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (CVE-2022-32213)
HTTP Request Smuggling - Improper Delimiting of Header Fields (CVE-2022-32214)
HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (CVE-2022-32215)
Attempt to read openssl.cnf from /home/iojs/build/ upon startup (CVE-2022-32222)

References

- https://bugs.mageia.org/show_bug.cgi?id=30078

- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/

- https://github.com/nodejs/node/releases/tag/v14.19.0

- https://github.com/nodejs/node/releases/tag/v14.19.1

- https://github.com/nodejs/node/releases/tag/v14.19.2

- https://github.com/nodejs/node/releases/tag/v14.19.3

- https://github.com/nodejs/node/releases/tag/v14.20.0

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43616

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32222

Resolution

MGASA-2022-0294 - Updated nodejs packages fix security vulnerability

SRPMS

- 8/core/nodejs-14.20.0-1.1.mga8

Severity
Publication date: 25 Aug 2022
URL: https://advisories.mageia.org/MGASA-2022-0294.html
Type: security
CVE: CVE-2021-43616, CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-32222

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.