Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Red Hat 7: RHSA-2022:0041-01 Moderate: Node.js Security Issues

red hat
Calendar Grey January 6, 2022
Dist Redhat Esm H88
New release for rh-nodejs14-nodejs includes a significant security patch for Red Hat Software Collections, resolving various vulnerabilities.
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.18.2). (BZ#2031766)
Security Fix(es):
* nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)
* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
* nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701)
* nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712)
* llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)
* llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-3918 https://access.redhat.com/security/cve/CVE-2021-22959 https://access.redhat.com/security/cve/CVE-2021-22960 https://access.redhat.com/security/cve/CVE-2021-37701 https://access.redhat.com/security/cve/CVE-2021-37712 https://access.redhat.com/security/updates/classification#moderate

Package List

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: rh-nodejs14-nodejs-14.18.2-1.el7.src.rpm rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.src.rpm
noarch: rh-nodejs14-nodejs-docs-14.18.2-1.el7.noarch.rpm rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.noarch.rpm
ppc64le: rh-nodejs14-nodejs-14.18.2-1.el7.ppc64le.rpm rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.ppc64le.rpm rh-nodejs14-nodejs-devel-14.18.2-1.el7.ppc64le.rpm rh-nodejs14-npm-6.14.15-14.18.2.1.el7.ppc64le.rpm
s390x: rh-nodejs14-nodejs-14.18.2-1.el7.s390x.rpm rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.s390x.rpm rh-nodejs14-nodejs-devel-14.18.2-1.el7.s390x.rpm rh-nodejs14-npm-6.14.15-14.18.2.1.el7.s390x.rpm
x86_64: rh-nodejs14-nodejs-14.18.2-1.el7.x86_64.rpm rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.x86_64.rpm rh-nodejs14-nodejs-devel-14.18.2-1.el7.x86_64.rpm rh-nodejs14-npm-6.14.15-14.18.2.1.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source: rh-nodejs14-nodejs-14.18.2-1.el7.src.rpm rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.src.rpm
noarch: rh-nodejs14-nodejs-docs-14.18.2-1.el7.noarch.rpm rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.noarch.rpm
x86_64: rh-nodejs14-nodejs-14.18.2-1.el7.x86_64.rpm rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.x86_64.rpm

Read the Full Advisory


Advisory ID: RHSA-2022:0041-01
Product: Red Hat Software Collections
Issue date: 2022-01-06

Topic

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is nowavailable for Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

Bugs Fixed

1999731 - CVE-2021-37701 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite

1999739 - CVE-2021-37712 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite

2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes

2014057 - CVE-2021-22959 llhttp: HTTP Request Smuggling due to spaces in headers2014059 - CVE-2021-22960 llhttp: HTTP Request Smuggling when parsing the body of chunked requests

2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability

2031766 - rh-nodejs14-nodejs: Rebase to LTS version [rhscl-3.8.z]

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here