Red Hat Enterprise Linux 8.1 RHSA-2021:3639-01 Critical Update for Nodejs
red hat
September 22, 2021
An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Summary
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version:
nodejs (12.22.5). (BZ#1994941)
Security Fix(es):
* nodejs: Use-after-free on close http2 on stream canceling
(CVE-2021-22930)
* nodejs: Use-after-free on close http2 on stream canceling
(CVE-2021-22940)
* c-ares: Missing input validation of host names may lead to domain
hijacking (CVE-2021-3672)
* nodejs: Improper handling of untypical characters in domain names
(CVE-2021-22931)
* nodejs-hosted-git-info: Regular Expression denial of service via
shortcutMatch in fromUrl() (CVE-2021-23362)
* nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in
strict mode (CVE-2021-27290)
* nodejs-tar: Insufficient symlink protection allowing arbitrary file
creation and overwrite (CVE-2021-32803)
* nodejs-tar: Insufficient absolute path sanitization allowing arbitrary
file creation and overwrite (CVE-2021-32804)
* libuv: out-of-bounds read in uv__idna_toascii() can lead to information
disclosures or crashes (CVE-2021-22918)
* nodejs: Incomplete validation of tls rejectUnauthorized parameter
(CVE-2021-22939)
* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
(CVE-2021-23343)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* nodejs:12/nodejs: Make FIPS options always available (BZ#1993929)
References
https://access.redhat.com/security/cve/CVE-2021-3672 https://access.redhat.com/security/cve/CVE-2021-22918 https://access.redhat.com/security/cve/CVE-2021-22930 https://access.redhat.com/security/cve/CVE-2021-22931 https://access.redhat.com/security/cve/CVE-2021-22939 https://access.redhat.com/security/cve/CVE-2021-22940 https://access.redhat.com/security/cve/CVE-2021-23343 https://access.redhat.com/security/cve/CVE-2021-23362 https://access.redhat.com/security/cve/CVE-2021-27290 https://access.redhat.com/security/cve/CVE-2021-32803 https://access.redhat.com/security/cve/CVE-2021-32804 https://access.redhat.com/security/updates/classification/#important
Package List
Red Hat Enterprise Linux AppStream EUS (v. 8.1):
Source:
nodejs-12.22.5-1.module+el8.1.0+12238+63fe3aec.src.rpm
nodejs-nodemon-1.18.3-1.module+el8.1.0+3369+37ae6a45.src.rpm
nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.src.rpm
aarch64:
nodejs-12.22.5-1.module+el8.1.0+12238+63fe3aec.aarch64.rpm
nodejs-debuginfo-12.22.5-1.module+el8.1.0+12238+63fe3aec.aarch64.rpm
nodejs-debugsource-12.22.5-1.module+el8.1.0+12238+63fe3aec.aarch64.rpm
nodejs-devel-12.22.5-1.module+el8.1.0+12238+63fe3aec.aarch64.rpm
nodejs-full-i18n-12.22.5-1.module+el8.1.0+12238+63fe3aec.aarch64.rpm
npm-6.14.14-1.12.22.5.1.module+el8.1.0+12238+63fe3aec.aarch64.rpm
noarch:
nodejs-docs-12.22.5-1.module+el8.1.0+12238+63fe3aec.noarch.rpm
nodejs-nodemon-1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch.rpm
nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.noarch.rpm
ppc64le:
nodejs-12.22.5-1.module+el8.1.0+12238+63fe3aec.ppc64le.rpm
nodejs-debuginfo-12.22.5-1.module+el8.1.0+12238+63fe3aec.ppc64le.rpm
nodejs-debugsource-12.22.5-1.module+el8.1.0+12238+63fe3aec.ppc64le.rpm
nodejs-devel-12.22.5-1.module+el8.1.0+12238+63fe3aec.ppc64le.rpm
nodejs-full-i18n-12.22.5-1.module+el8.1.0+12238+63fe3aec.ppc64le.rpm
npm-6.14.14-1.12.22.5.1.module+el8.1.0+12238+63fe3aec.ppc64le.rpm
s390x:
Read the Full Advisory
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2021:3639-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3639
Issue date: 2021-09-22
Topic
An update for the nodejs:12 module is now available for Red Hat EnterpriseLinux 8.1 Extended Update Support.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Relevant Releases Architectures
Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64
Bugs Fixed
1941471 - CVE-2021-27290 nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode
1943208 - CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()
1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
1979338 - CVE-2021-22918 libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes
1988342 - CVE-2021-3672 c-ares: Missing input validation of host names may lead to domain hijacking
1988394 - CVE-2021-22930 nodejs: Use-after-free on close http2 on stream canceling
1990409 - CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
1990415 - CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
1993019 - CVE-2021-22931 nodejs: Improper handling of untypical characters in domain names
1993029 - CVE-2021-22940 nodejs: Use-after-free on close http2 on stream canceling
1993039 - CVE-2021-22939 nodejs: Incomplete validation of tls rejectUnauthorized parameter
1993929 - nodejs:12/nodejs: Make FIPS options always available [rhel-8.1.0.z]
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!