Alerts This Week
Warning Icon 1 684
Alerts This Week
Warning Icon 1 684

Red Hat OpenShift 3.3 RHSA-2016-2101-01 Moderate Nodejs Denial Of Service

Calendar Oct 27, 2016 User Avatar LinuxSecurity Advisories
2 - 4 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory bug fix DoS Moderate Red Hat OpenShift nodejs tough-cookie
An update for nodejs-tough-cookie and nodejs is now available for Red Hat OpenShift Container Platform 3.1, 3.2, and 3.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: nodejs and nodejs-tough-cookie security, bug fix, and enhancement update
Advisory ID:       RHSA-2016:2101-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2016:2101
Issue date:        2016-10-27
CVE Names:         CVE-2016-1000232 CVE-2016-5325 
====================================================================
1. Summary:

An update for nodejs-tough-cookie and nodejs is now available for Red Hat 
OpenShift Container Platform 3.1, 3.2, and 3.3.

Red Hat Product Security has rated this update as having a security impact 
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from 
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.3 - noarch, x86_64
Red Hat OpenShift Enterprise 3.1 - noarch, x86_64
Red Hat OpenShift Enterprise 3.2 - noarch, x86_64

3. Description:

Red Hat OpenShift Container Platform is the company's cloud computing 
Platform-as-a-Service (PaaS) solution designed for on-premise or private 
cloud deployments.

Security Fix(es):

* A regular expression denial of service flaw was found in Tough-Cookie. An
attacker able to make an application using Touch-Cookie to parse a 
sufficiently large HTTP request Cookie header could cause the application 
to consume an excessive amount of CPU. (CVE-2016-1000232)

* It was found that the reason argument in ServerResponse#writeHead() was 
not properly validated. A remote attacker could possibly use this flaw to 
conduct an HTTP response splitting attack via a specially-crafted HTTP 
request. (CVE-2016-5325)

This advisory contains the RPM packages for this release. See the following
advisory for the container images fixes for this release:

https://access.redhat.com/errata/RHBA-2016:2100

4. Solution:

For details on how to apply this update in OpenShift Container Platform 3,
see the Solution section of the following advisory: 

https://access.redhat.com/errata/RHBA-2016:2100

5. Bugs fixed (https://bugzilla.redhat.com/):

1346910 - CVE-2016-5325 nodejs: reason argument in ServerResponse#writeHead() not properly validated
1359818 - CVE-2016-1000232 nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons
1382854 - [3.1,3.2,3.3] nodejs rpm updates for logging-auth-proxy

6. Package List:

Red Hat OpenShift Enterprise 3.1:

Source:
nodejs-0.10.47-2.el7.src.rpm
nodejs-tough-cookie-2.3.1-1.el7.src.rpm

noarch:
nodejs-docs-0.10.47-2.el7.noarch.rpm
nodejs-tough-cookie-2.3.1-1.el7.noarch.rpm

x86_64:
nodejs-0.10.47-2.el7.x86_64.rpm
nodejs-debuginfo-0.10.47-2.el7.x86_64.rpm
nodejs-devel-0.10.47-2.el7.x86_64.rpm

Red Hat OpenShift Enterprise 3.2:

Source:
nodejs-0.10.47-2.el7.src.rpm
nodejs-tough-cookie-2.3.1-1.el7.src.rpm

noarch:
nodejs-docs-0.10.47-2.el7.noarch.rpm
nodejs-tough-cookie-2.3.1-1.el7.noarch.rpm

x86_64:
nodejs-0.10.47-2.el7.x86_64.rpm
nodejs-debuginfo-0.10.47-2.el7.x86_64.rpm
nodejs-devel-0.10.47-2.el7.x86_64.rpm

Red Hat OpenShift Container Platform 3.3:

Source:
nodejs-0.10.47-2.el7.src.rpm
nodejs-tough-cookie-2.3.1-1.el7.src.rpm

noarch:
nodejs-docs-0.10.47-2.el7.noarch.rpm
nodejs-tough-cookie-2.3.1-1.el7.noarch.rpm

x86_64:
nodejs-0.10.47-2.el7.x86_64.rpm
nodejs-debuginfo-0.10.47-2.el7.x86_64.rpm
nodejs-devel-0.10.47-2.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key

7. References:

https://access.redhat.com/security/cve/CVE-2016-1000232
https://access.redhat.com/security/cve/CVE-2016-5325
https://access.redhat.com/security/updates/classification#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYEjZhXlSAg2UNWIIRAvpBAKDEWC6ztC/S4dgLmh/ODSF864GxvACfYW9c
lWMlqAZ1pvo+ZnOKWYemVfA=tgnX
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

Red Hat OpenShift 3.3 RHSA-2016-2101-01 Moderate Nodejs Denial Of Service

red hat
Calendar Grey October 27, 2016
Dist Redhat Esm H88
A recent security patch has been released for nodejs and nodejs-tough-cookie in the Red Hat OpenShift Container Platform.
An update for nodejs-tough-cookie and nodejs is now available for Red Hat OpenShift Container Platform 3.1, 3.2, and 3.3

Solution

For details on how to apply this update in OpenShift Container Platform 3, see the Solution section of the following advisory:

https://access.redhat.com/errata/RHBA-2016:2100

Summary

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.
Security Fix(es):
* A regular expression denial of service flaw was found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse a sufficiently large HTTP request Cookie header could cause the application to consume an excessive amount of CPU. (CVE-2016-1000232)
* It was found that the reason argument in ServerResponse#writeHead() was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request. (CVE-2016-5325)
This advisory contains the RPM packages for this release. See the following advisory for the container images fixes for this release:
https://access.redhat.com/errata/RHBA-2016:2100

Topics%20covered

Topics Covered

security advisory bug fix DoS Moderate Red Hat OpenShift nodejs tough-cookie

References

https://access.redhat.com/security/cve/CVE-2016-1000232 https://access.redhat.com/security/cve/CVE-2016-5325 https://access.redhat.com/security/updates/classification#moderate

Package List

Red Hat OpenShift Enterprise 3.1:
Source: nodejs-0.10.47-2.el7.src.rpm nodejs-tough-cookie-2.3.1-1.el7.src.rpm
noarch: nodejs-docs-0.10.47-2.el7.noarch.rpm nodejs-tough-cookie-2.3.1-1.el7.noarch.rpm
x86_64: nodejs-0.10.47-2.el7.x86_64.rpm nodejs-debuginfo-0.10.47-2.el7.x86_64.rpm nodejs-devel-0.10.47-2.el7.x86_64.rpm
Red Hat OpenShift Enterprise 3.2:
Source: nodejs-0.10.47-2.el7.src.rpm nodejs-tough-cookie-2.3.1-1.el7.src.rpm
noarch: nodejs-docs-0.10.47-2.el7.noarch.rpm nodejs-tough-cookie-2.3.1-1.el7.noarch.rpm
x86_64: nodejs-0.10.47-2.el7.x86_64.rpm nodejs-debuginfo-0.10.47-2.el7.x86_64.rpm nodejs-devel-0.10.47-2.el7.x86_64.rpm
Red Hat OpenShift Container Platform 3.3:
Source: nodejs-0.10.47-2.el7.src.rpm nodejs-tough-cookie-2.3.1-1.el7.src.rpm
noarch: nodejs-docs-0.10.47-2.el7.noarch.rpm nodejs-tough-cookie-2.3.1-1.el7.noarch.rpm
x86_64: nodejs-0.10.47-2.el7.x86_64.rpm nodejs-debuginfo-0.10.47-2.el7.x86_64.rpm nodejs-devel-0.10.47-2.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key


Advisory ID: RHSA-2016:2101-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2016:2101
Issue date: 2016-10-27

Topic

An update for nodejs-tough-cookie and nodejs is now available for Red Hat OpenShift Container Platform 3.1, 3.2, and 3.3.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory bug fix DoS Moderate Red Hat OpenShift nodejs tough-cookie

Relevant Releases Architectures

Red Hat OpenShift Container Platform 3.3 - noarch, x86_64

Red Hat OpenShift Enterprise 3.1 - noarch, x86_64

Red Hat OpenShift Enterprise 3.2 - noarch, x86_64

Bugs Fixed

1346910 - CVE-2016-5325 nodejs: reason argument in ServerResponse#writeHead() not properly validated

1359818 - CVE-2016-1000232 nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons

1382854 - [3.1,3.2,3.3] nodejs rpm updates for logging-auth-proxy

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here