Mageia: 2022-0294 Moderate: Nodejs Installation Issue Security Advisory
mageia
August 25, 2022
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json
Summary
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an
installation even if dependency information in package-lock.json differsfrom package.json. This behavior is inconsistent with the documentation,
and makes it easier for attackers to install malware that was supposed to
have been blocked by an exact version match requirement in
package-lock.json. (CVE-2021-43616)
DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)
HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding
(CVE-2022-32213)
HTTP Request Smuggling - Improper Delimiting of Header Fields
(CVE-2022-32214)
HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding
(CVE-2022-32215)
Attempt to read openssl.cnf from /home/iojs/build/ upon startup
(CVE-2022-32222)
References
- https://bugs.mageia.org/show_bug.cgi?id=30078
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://github.com/nodejs/node/releases/tag/v14.19.0
- https://github.com/nodejs/node/releases/tag/v14.19.1
- https://github.com/nodejs/node/releases/tag/v14.19.2
- https://github.com/nodejs/node/releases/tag/v14.19.3
- https://github.com/nodejs/node/releases/tag/v14.20.0
- https://www.cve.org/CVERecord?id=CVE-2021-43616
- https://www.cve.org/CVERecord?id=CVE-2022-32212
- https://www.cve.org/CVERecord?id=CVE-2022-32213
- https://www.cve.org/CVERecord?id=CVE-2022-32214
- https://www.cve.org/CVERecord?id=CVE-2022-32215
- https://www.cve.org/CVERecord?id=CVE-2022-32222
Topics Covered
Resolution
SRPMS
- 8/core/nodejs-14.20.0-1.1.mga8
PREVIOUS
NEXT
Publication date: 25 Aug 2022
URL: https://advisories.mageia.org/MGASA-2022-0294.html
Type: security
CVE: CVE-2021-43616,
CVE-2022-32212,
CVE-2022-32213,
CVE-2022-32214,
CVE-2022-32215,
CVE-2022-32222
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!