Red Hat: RHSA-2021-3280-01 Important Update for Node.js Security
Aug 26, 2021
•
LinuxSecurity Advisories
4 - 7 min read
Topics Covered
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
==================================================================== Red Hat Security Advisory
Synopsis: Important: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update
Advisory ID: RHSA-2021:3280-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3280
Issue date: 2021-08-26
CVE Names: CVE-2020-7788 CVE-2020-28469 CVE-2021-3672
CVE-2021-22930 CVE-2021-22931 CVE-2021-22939
CVE-2021-22940 CVE-2021-23343 CVE-2021-32803
CVE-2021-32804
====================================================================
1. Summary:
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now
available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
3. Description:
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version:
rh-nodejs14-nodejs (14.17.5).
Security Fix(es):
* nodejs: Use-after-free on close http2 on stream canceling
(CVE-2021-22930)
* nodejs: Use-after-free on close http2 on stream canceling
(CVE-2021-22940)
* nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)
* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
* c-ares: Missing input validation of host names may lead to domain
hijacking (CVE-2021-3672)
* nodejs: Improper handling of untypical characters in domain names
(CVE-2021-22931)
* nodejs-tar: Insufficient symlink protection allowing arbitrary file
creation and overwrite (CVE-2021-32803)
* nodejs-tar: Insufficient absolute path sanitization allowing arbitrary
file creation and overwrite (CVE-2021-32804)
* nodejs: Incomplete validation of tls rejectUnauthorized parameter
(CVE-2021-22939)
* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
(CVE-2021-23343)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1907444 - CVE-2020-7788 nodejs-ini: Prototype pollution via malicious INI file
1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
1988342 - CVE-2021-3672 c-ares: Missing input validation of host names may lead to domain hijacking
1988394 - CVE-2021-22930 nodejs: Use-after-free on close http2 on stream canceling
1990409 - CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
1990415 - CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
1993019 - CVE-2021-22931 nodejs: Improper handling of untypical characters in domain names
1993029 - CVE-2021-22940 nodejs: Use-after-free on close http2 on stream canceling
1993039 - CVE-2021-22939 nodejs: Incomplete validation of tls rejectUnauthorized parameter
6. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm
noarch:
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm
ppc64le:
rh-nodejs14-nodejs-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.ppc64le.rpm
s390x:
rh-nodejs14-nodejs-14.17.5-1.el7.s390x.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.s390x.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.s390x.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.s390x.rpm
x86_64:
rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):
Source:
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm
noarch:
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm
ppc64le:
rh-nodejs14-nodejs-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.ppc64le.rpm
s390x:
rh-nodejs14-nodejs-14.17.5-1.el7.s390x.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.s390x.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.s390x.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.s390x.rpm
x86_64:
rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm
noarch:
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm
x86_64:
rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key
7. References:
https://access.redhat.com/security/cve/CVE-2020-7788
https://access.redhat.com/security/cve/CVE-2020-28469
https://access.redhat.com/security/cve/CVE-2021-3672
https://access.redhat.com/security/cve/CVE-2021-22930
https://access.redhat.com/security/cve/CVE-2021-22931
https://access.redhat.com/security/cve/CVE-2021-22939
https://access.redhat.com/security/cve/CVE-2021-22940
https://access.redhat.com/security/cve/CVE-2021-23343
https://access.redhat.com/security/cve/CVE-2021-32803
https://access.redhat.com/security/cve/CVE-2021-32804
https://access.redhat.com/security/updates/classification#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYSe+ZdzjgjWX9erEAQhYcg/7B3abtCo+3cNCafs6xxdE/gTXji7SK5EY
1HRy0aXRd5bXCuRKnfNAPkkmhGKOfa0J+0TuZotF/Sh/20VtkGYIrwMIH9X/OYcl
kDsv8KkGtFgTKg0rRRCXG3FV+hPDh4r0F0WWxssmXjunAYnOzyxlntafSTnW2FGO
igl7caJv6zh3YJsUB/ITn4JCUDCClWR6KEF7gasKnaNpoap52HfHa7qYSUpxaz1K
/z3atfAOYJkj1aSSj4327iE1i8SbyYnuPD5m2RZUdHxZrMnVbsd+lVkrrd66KV0q
Z58mal5whSgZ6U7jt1oiQBafYvm3mLoyFm3URC9xqPhDbapvL0++mDov5OQNUoyk
zRqs1vaV7f27DiQuGtCxCcy+34jIP5PpmazpkWG0oTYYkgt6hpda3+/A4GEvymNF
8xKTpekyasjYpWZ8sX4FOAo5vnqedwFtQoFJ7Q0YoO+DUje2oaw9I9Cm1BGyjTeq
/VMJkslLT17lRSrJwNvWBxrUg849nFAd1xMEcAyMhJrlhG6zqe2zGoUCJokaPaxr
Cx0pezZ8ERabp8kTBS5Jm7vN9yBymwVsEw32QRV/2Mp2Zdi1cY6Y9UJJQ7N+YjjJ
5nsPiho66PlZ3E0CIU+Ntr03ROW3X8E2u15ACUsGnZdSsqt36QWKmoKCP4d+8fNI
z53onxTqYlM=JjAl
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.
PREVIOUS
NEXT
Red Hat: RHSA-2021-3280-01 Important Update for Node.js Security
red hat
August 26, 2021
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Summary
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version:
rh-nodejs14-nodejs (14.17.5).
Security Fix(es):
* nodejs: Use-after-free on close http2 on stream canceling
(CVE-2021-22930)
* nodejs: Use-after-free on close http2 on stream canceling
(CVE-2021-22940)
* nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)
* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
* c-ares: Missing input validation of host names may lead to domain
hijacking (CVE-2021-3672)
* nodejs: Improper handling of untypical characters in domain names
(CVE-2021-22931)
* nodejs-tar: Insufficient symlink protection allowing arbitrary file
creation and overwrite (CVE-2021-32803)
* nodejs-tar: Insufficient absolute path sanitization allowing arbitrary
file creation and overwrite (CVE-2021-32804)
* nodejs: Incomplete validation of tls rejectUnauthorized parameter
(CVE-2021-22939)
* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
(CVE-2021-23343)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2020-7788 https://access.redhat.com/security/cve/CVE-2020-28469 https://access.redhat.com/security/cve/CVE-2021-3672 https://access.redhat.com/security/cve/CVE-2021-22930 https://access.redhat.com/security/cve/CVE-2021-22931 https://access.redhat.com/security/cve/CVE-2021-22939 https://access.redhat.com/security/cve/CVE-2021-22940 https://access.redhat.com/security/cve/CVE-2021-23343 https://access.redhat.com/security/cve/CVE-2021-32803 https://access.redhat.com/security/cve/CVE-2021-32804 https://access.redhat.com/security/updates/classification#important
Package List
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm
noarch:
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm
ppc64le:
rh-nodejs14-nodejs-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.ppc64le.rpm
s390x:
rh-nodejs14-nodejs-14.17.5-1.el7.s390x.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.s390x.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.s390x.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.s390x.rpm
x86_64:
rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):
Source:
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm
noarch:
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm
ppc64le:
rh-nodejs14-nodejs-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.ppc64le.rpm
Read the Full Advisory
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2021:3280-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3280
Issue date: 2021-08-26
Topic
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is nowavailable for Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topics Covered
Relevant Releases Architectures
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Bugs Fixed
1907444 - CVE-2020-7788 nodejs-ini: Prototype pollution via malicious INI file
1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
1988342 - CVE-2021-3672 c-ares: Missing input validation of host names may lead to domain hijacking
1988394 - CVE-2021-22930 nodejs: Use-after-free on close http2 on stream canceling
1990409 - CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
1990415 - CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
1993019 - CVE-2021-22931 nodejs: Improper handling of untypical characters in domain names
1993029 - CVE-2021-22940 nodejs: Use-after-free on close http2 on stream canceling
1993039 - CVE-2021-22939 nodejs: Incomplete validation of tls rejectUnauthorized parameter
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!