Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Red Hat 8.1 RHSA-2021-0741-01 Important: Nodejs DoS Threat

Calendar Mar 08, 2021 User Avatar LinuxSecurity Advisories
3 - 5 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory red hat DoS security fix Red Hat Enterprise Linux DoS threat Denial of Service important update nodejs nodejs update HTTP2 vulnerability rebinding
An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: nodejs:10 security update
Advisory ID:       RHSA-2021:0741-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0741
Issue date:        2021-03-08
CVE Names:         CVE-2021-22883 CVE-2021-22884 
====================================================================
1. Summary:

An update for the nodejs:10 module is now available for Red Hat Enterprise
Linux 8.1 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language. 

The following packages have been upgraded to a later upstream version:
nodejs (10.24.0).

Security Fix(es):

* nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion
(CVE-2021-22883)

* nodejs: DNS rebinding in --inspect (CVE-2021-22884)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1932014 - CVE-2021-22883 nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion
1932024 - CVE-2021-22884 nodejs: DNS rebinding in --inspect

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.1):

Source:
nodejs-10.24.0-1.module+el8.1.0+10161+5cffdac6.src.rpm
nodejs-nodemon-1.18.3-1.module+el8+2632+6c5111ed.src.rpm
nodejs-packaging-17-3.module+el8+2873+aa7dfd9a.src.rpm

aarch64:
nodejs-10.24.0-1.module+el8.1.0+10161+5cffdac6.aarch64.rpm
nodejs-debuginfo-10.24.0-1.module+el8.1.0+10161+5cffdac6.aarch64.rpm
nodejs-debugsource-10.24.0-1.module+el8.1.0+10161+5cffdac6.aarch64.rpm
nodejs-devel-10.24.0-1.module+el8.1.0+10161+5cffdac6.aarch64.rpm
nodejs-full-i18n-10.24.0-1.module+el8.1.0+10161+5cffdac6.aarch64.rpm
npm-6.14.11-1.10.24.0.1.module+el8.1.0+10161+5cffdac6.aarch64.rpm

noarch:
nodejs-docs-10.24.0-1.module+el8.1.0+10161+5cffdac6.noarch.rpm
nodejs-nodemon-1.18.3-1.module+el8+2632+6c5111ed.noarch.rpm
nodejs-packaging-17-3.module+el8+2873+aa7dfd9a.noarch.rpm

ppc64le:
nodejs-10.24.0-1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm
nodejs-debuginfo-10.24.0-1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm
nodejs-debugsource-10.24.0-1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm
nodejs-devel-10.24.0-1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm
nodejs-full-i18n-10.24.0-1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm
npm-6.14.11-1.10.24.0.1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm

s390x:
nodejs-10.24.0-1.module+el8.1.0+10161+5cffdac6.s390x.rpm
nodejs-debuginfo-10.24.0-1.module+el8.1.0+10161+5cffdac6.s390x.rpm
nodejs-debugsource-10.24.0-1.module+el8.1.0+10161+5cffdac6.s390x.rpm
nodejs-devel-10.24.0-1.module+el8.1.0+10161+5cffdac6.s390x.rpm
nodejs-full-i18n-10.24.0-1.module+el8.1.0+10161+5cffdac6.s390x.rpm
npm-6.14.11-1.10.24.0.1.module+el8.1.0+10161+5cffdac6.s390x.rpm

x86_64:
nodejs-10.24.0-1.module+el8.1.0+10161+5cffdac6.x86_64.rpm
nodejs-debuginfo-10.24.0-1.module+el8.1.0+10161+5cffdac6.x86_64.rpm
nodejs-debugsource-10.24.0-1.module+el8.1.0+10161+5cffdac6.x86_64.rpm
nodejs-devel-10.24.0-1.module+el8.1.0+10161+5cffdac6.x86_64.rpm
nodejs-full-i18n-10.24.0-1.module+el8.1.0+10161+5cffdac6.x86_64.rpm
npm-6.14.11-1.10.24.0.1.module+el8.1.0+10161+5cffdac6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-22883
https://access.redhat.com/security/cve/CVE-2021-22884
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYEX6ndzjgjWX9erEAQj7jA/9Fw7n2wStgWsndoD0vI5qK9ali2Rxlymb
HH78OqRT/iyI3q+B5el/QFaOcsv8FwBRD0L/Y1rxej6FpYOKzvMjWDJr+yJ6FmA9
qV8AFitLjcTsgSITNyU7AfA27wKACes6xtN+BjtX1532j1rLeFPKdEO1T/pcs/Jz
Uarz+b+e2gO4TIHrZ3VL9p+hAutnt3ZEpKwl9sDUQMnDs+dyDseFNmIfL5ozzhEW
2rNV3YX3Vp0imMyXqYIK2SjZFLQojV6IHEr0NXr36jW2G0L0nTe+1rMjtbjKj0Iv
eE/KrlFv2L8VlouFb8OljAvmeDdGzLqNeuzVfdjqFyBHgT9Rb1sTEFfJ9nJnK2td
yH0mRrQP+p793gxDoHnCYIcvRJ1yGKBQ5TDb2sJNtz05sx0tlyhnBWvSk0o1VBgv
vXGAvJ9+lMGGnOQlXOt8Of0KuZ4FT60KeX6qAMgDzX3VJsmUW2xHp1XyjfLVmE3o
w4/BWnaQFVbIhBq427zgzIMEr/tt0gopUyp4kd2953nETUfG25qtn+ZhXU5LIBQ/
E7pQrzgMC0bP/DZZXDOIrHgufyXsC7PxvwxHg/Dp+A5tJloQvRQhi04KDQCINHCW
PR1LUTWSlSUyMZD3rqctioTk0fKylWmKzoCfi1OHpDi7hnC+cxF4ZgLFXtJCm/8G
zg4fV6O2+do=9HWQ
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat 8.1 RHSA-2021-0741-01 Important: Nodejs DoS Threat

red hat
Calendar Grey March 8, 2021
Dist Redhat Esm H88
Essential patch release for Node.js:10 on Red Hat Linux, implementing crucial security enhancements targeting denial-of-service and DNS rebinding vulnerabilities.
An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (10.24.0).
Security Fix(es):
* nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883)
* nodejs: DNS rebinding in --inspect (CVE-2021-22884)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory red hat DoS security fix Red Hat Enterprise Linux DoS threat Denial of Service important update nodejs nodejs update HTTP2 vulnerability rebinding

References

https://access.redhat.com/security/cve/CVE-2021-22883 https://access.redhat.com/security/cve/CVE-2021-22884 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source: nodejs-10.24.0-1.module+el8.1.0+10161+5cffdac6.src.rpm nodejs-nodemon-1.18.3-1.module+el8+2632+6c5111ed.src.rpm nodejs-packaging-17-3.module+el8+2873+aa7dfd9a.src.rpm
aarch64: nodejs-10.24.0-1.module+el8.1.0+10161+5cffdac6.aarch64.rpm nodejs-debuginfo-10.24.0-1.module+el8.1.0+10161+5cffdac6.aarch64.rpm nodejs-debugsource-10.24.0-1.module+el8.1.0+10161+5cffdac6.aarch64.rpm nodejs-devel-10.24.0-1.module+el8.1.0+10161+5cffdac6.aarch64.rpm nodejs-full-i18n-10.24.0-1.module+el8.1.0+10161+5cffdac6.aarch64.rpm npm-6.14.11-1.10.24.0.1.module+el8.1.0+10161+5cffdac6.aarch64.rpm
noarch: nodejs-docs-10.24.0-1.module+el8.1.0+10161+5cffdac6.noarch.rpm nodejs-nodemon-1.18.3-1.module+el8+2632+6c5111ed.noarch.rpm nodejs-packaging-17-3.module+el8+2873+aa7dfd9a.noarch.rpm
ppc64le: nodejs-10.24.0-1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm nodejs-debuginfo-10.24.0-1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm nodejs-debugsource-10.24.0-1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm nodejs-devel-10.24.0-1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm nodejs-full-i18n-10.24.0-1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm npm-6.14.11-1.10.24.0.1.module+el8.1.0+10161+5cffdac6.ppc64le.rpm
s390x:

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2021:0741-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0741
Issue date: 2021-03-08

Topic

An update for the nodejs:10 module is now available for Red Hat EnterpriseLinux 8.1 Extended Update Support.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory red hat DoS security fix Red Hat Enterprise Linux DoS threat Denial of Service important update nodejs nodejs update HTTP2 vulnerability rebinding

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

1932014 - CVE-2021-22883 nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion

1932024 - CVE-2021-22884 nodejs: DNS rebinding in --inspect

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here