RedHat: RHSA-2020-4903-01 Moderate: Nodejs:12 Security Update

Red Hat Enterprise Linux RHSA-2020:4903-01 Nodejs 12 Security Fixes Release

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: nodejs:12 security and bug fix update
Advisory ID:       RHSA-2020:4903-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4903
Issue date:        2020-11-04
CVE Names:         CVE-2020-8116 CVE-2020-8201 CVE-2020-8252 
                   CVE-2020-15095 
====================================================================
1. Summary:

An update for the nodejs:12 module is now available for Red Hat Enterprise
Linux 8.1 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language. 

The following packages have been upgraded to a later upstream version:
nodejs (12.18.4).

Security Fix(es):

* nodejs-dot-prop: prototype pollution (CVE-2020-8116)

* nodejs: HTTP request smuggling due to CR-to-Hyphen conversion
(CVE-2020-8201)

* npm: Sensitive information exposure through logs (CVE-2020-15095)

* libuv: buffer overflow in realpath (CVE-2020-8252)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* The nodejs:12/development module is not installable (BZ#1883965)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1856875 - CVE-2020-15095 npm: Sensitive information exposure through logs
1868196 - CVE-2020-8116 nodejs-dot-prop: prototype pollution
1879311 - CVE-2020-8201 nodejs: HTTP request smuggling due to CR-to-Hyphen conversion
1879315 - CVE-2020-8252 libuv: buffer overflow in realpath
1883965 - The nodejs:12/development module is not installable [rhel-8.1.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.1):

Source:
nodejs-12.18.4-2.module+el8.1.0+8360+14141500.src.rpm
nodejs-nodemon-1.18.3-1.module+el8.1.0+3369+37ae6a45.src.rpm
nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.src.rpm

aarch64:
nodejs-12.18.4-2.module+el8.1.0+8360+14141500.aarch64.rpm
nodejs-debuginfo-12.18.4-2.module+el8.1.0+8360+14141500.aarch64.rpm
nodejs-debugsource-12.18.4-2.module+el8.1.0+8360+14141500.aarch64.rpm
nodejs-devel-12.18.4-2.module+el8.1.0+8360+14141500.aarch64.rpm
nodejs-full-i18n-12.18.4-2.module+el8.1.0+8360+14141500.aarch64.rpm
npm-6.14.6-1.12.18.4.2.module+el8.1.0+8360+14141500.aarch64.rpm

noarch:
nodejs-docs-12.18.4-2.module+el8.1.0+8360+14141500.noarch.rpm
nodejs-nodemon-1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch.rpm
nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.noarch.rpm

ppc64le:
nodejs-12.18.4-2.module+el8.1.0+8360+14141500.ppc64le.rpm
nodejs-debuginfo-12.18.4-2.module+el8.1.0+8360+14141500.ppc64le.rpm
nodejs-debugsource-12.18.4-2.module+el8.1.0+8360+14141500.ppc64le.rpm
nodejs-devel-12.18.4-2.module+el8.1.0+8360+14141500.ppc64le.rpm
nodejs-full-i18n-12.18.4-2.module+el8.1.0+8360+14141500.ppc64le.rpm
npm-6.14.6-1.12.18.4.2.module+el8.1.0+8360+14141500.ppc64le.rpm

s390x:
nodejs-12.18.4-2.module+el8.1.0+8360+14141500.s390x.rpm
nodejs-debuginfo-12.18.4-2.module+el8.1.0+8360+14141500.s390x.rpm
nodejs-debugsource-12.18.4-2.module+el8.1.0+8360+14141500.s390x.rpm
nodejs-devel-12.18.4-2.module+el8.1.0+8360+14141500.s390x.rpm
nodejs-full-i18n-12.18.4-2.module+el8.1.0+8360+14141500.s390x.rpm
npm-6.14.6-1.12.18.4.2.module+el8.1.0+8360+14141500.s390x.rpm

x86_64:
nodejs-12.18.4-2.module+el8.1.0+8360+14141500.x86_64.rpm
nodejs-debuginfo-12.18.4-2.module+el8.1.0+8360+14141500.x86_64.rpm
nodejs-debugsource-12.18.4-2.module+el8.1.0+8360+14141500.x86_64.rpm
nodejs-devel-12.18.4-2.module+el8.1.0+8360+14141500.x86_64.rpm
nodejs-full-i18n-12.18.4-2.module+el8.1.0+8360+14141500.x86_64.rpm
npm-6.14.6-1.12.18.4.2.module+el8.1.0+8360+14141500.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-8116
https://access.redhat.com/security/cve/CVE-2020-8201
https://access.redhat.com/security/cve/CVE-2020-8252
https://access.redhat.com/security/cve/CVE-2020-15095
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX6KgItzjgjWX9erEAQivyw//VapgCsnPau2LKyTxnumAhwlQ0tNlXNFw
4APGyEAynTnX6TuhFjQfXTFwBj67+C5ZT3LFYJ2eQ3/K1nb26ia95m4IgF6TlrZc
MRytC7xTY9b6t2z7sfIXb892D1lK26HYcMfWMe0fy1bHszpkiPKvzfEP5o9cWRn/
Tmxh48AOspSye4eQqRROUM6J6eRsiIq9uMvj/v2hljzqeMUwtUSGsyudHJOOZl7j
MyGw6rDhcPuirhedTp1C1b1JWdXXTEcHLXy7kDRVWfgXZLetJTfeQkl3FHbWXThH
A7lPkxcP9PkNXKAvH7RE+65ylUXP60rpTJFs7uaqIjJLWlZkBm81+U7RzAv8afjE
3PwdbMzsoXLCCN5HBk8aA/sJ+oos6YC+jaANVCU3p/eJPaEm4dUTxyiWJsgzrwjA
m59e8wJtZxJOd1QO1a7LvxS/52Yxgu/HjGxrLgoR5SNYOrmeKgMmN/0stc/dB1hK
lv9Z0MC+RqU1t7rnkFqje+mD18gF0SuOYGCA+8hlzaBfDYxRGHV56lPf+9PeQegP
H8l66LvM0ly0aXgdwPT33t0Jipp8HBJYd/9Z+BgvUZtnK9FspSLyrbS1ke6f9qGl
dQ2Nx7A5uIrv22U68PIrpKAhHlgNFj1ammVuSEma3Y3ZqCxPc05xlWisMkhTaouT
NzIMa7yGLug=lV49
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

Red Hat Enterprise Linux RHSA-2020:4903-01 Nodejs 12 Security Fixes Release

Topics Covered

Search Advisories & Updates

Recent Searches

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Red Hat Enterprise Linux RHSA-2020:4903-01 Nodejs 12 Security Fixes Release

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Red Hat Enterprise Linux RHSA-2020:4903-01 Nodejs 12 Security Fixes Release

Topics Covered

Search Advisories & Updates

Recent Searches

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Red Hat Enterprise Linux RHSA-2020:4903-01 Nodejs 12 Security Fixes Release

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Related Articles

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!