-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: nodejs:14 security, bug fix, and enhancement update
Advisory ID:       RHSA-2023:1742-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1742
Issue date:        2023-04-12
CVE Names:         CVE-2021-35065 CVE-2021-44531 CVE-2021-44532 
                   CVE-2021-44533 CVE-2021-44906 CVE-2022-0235 
                   CVE-2022-3517 CVE-2022-4904 CVE-2022-21824 
                   CVE-2022-24999 CVE-2022-25881 CVE-2022-35256 
                   CVE-2022-38900 CVE-2022-43548 CVE-2023-23918 
                   CVE-2023-23920 
====================================================================
1. Summary:

An update for the nodejs:14 module is now available for Red Hat Enterprise
Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:
nodejs (14.21.3).

Security Fix(es):

* decode-uri-component: improper input validation resulting in DoS
(CVE-2022-38900)

* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

* nodejs: Improper handling of URI Subject Alternative Names
(CVE-2021-44531)

* nodejs: Certificate Verification Bypass via String Injection
(CVE-2021-44532)

* nodejs: Incorrect handling of certificate subject and issuer fields
(CVE-2021-44533)

* minimist: prototype pollution (CVE-2021-44906)

* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

* c-ares: buffer overflow in config_sortlist() due to missing string length
check (CVE-2022-4904)

* express: "qs" prototype poisoning causes the hang of the node process
(CVE-2022-24999)

* http-cache-semantics: Regular Expression Denial of Service (ReDoS)
vulnerability (CVE-2022-25881)

* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
(CVE-2022-35256)

* nodejs: DNS rebinding in inspect via invalid octal IP address
(CVE-2022-43548)

* Node.js: Permissions policies can be bypassed via process.mainModule
(CVE-2023-23918)

* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

* Node.js: insecure loading of ICU data through ICU_DATA environment
variable (CVE-2023-23920)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names
2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection
2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields
2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2066009 - CVE-2021-44906 minimist: prototype pollution
2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
2140911 - CVE-2022-43548 nodejs: DNS rebinding in inspect via invalid octal IP address
2142822 - nodejs:14/nodejs: Rebase to the latest Nodejs 14 release [rhel-8] [rhel-8.6.0.z]
2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process
2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service
2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
2168631 - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check
2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS
2171935 - CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.mainModule
2172217 - CVE-2023-23920 Node.js: insecure loading of ICU data through ICU_DATA environment variable
2175827 - nodejs:14/nodejs: Rebase to the latest Nodejs 14 release [rhel-8] [rhel-8.6.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:
nodejs-14.21.3-1.module+el8.6.0+18532+cbe6f646.src.rpm
nodejs-nodemon-2.0.20-3.module+el8.6.0+18532+cbe6f646.src.rpm
nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

aarch64:
nodejs-14.21.3-1.module+el8.6.0+18532+cbe6f646.aarch64.rpm
nodejs-debuginfo-14.21.3-1.module+el8.6.0+18532+cbe6f646.aarch64.rpm
nodejs-debugsource-14.21.3-1.module+el8.6.0+18532+cbe6f646.aarch64.rpm
nodejs-devel-14.21.3-1.module+el8.6.0+18532+cbe6f646.aarch64.rpm
nodejs-full-i18n-14.21.3-1.module+el8.6.0+18532+cbe6f646.aarch64.rpm
npm-6.14.18-1.14.21.3.1.module+el8.6.0+18532+cbe6f646.aarch64.rpm

noarch:
nodejs-docs-14.21.3-1.module+el8.6.0+18532+cbe6f646.noarch.rpm
nodejs-nodemon-2.0.20-3.module+el8.6.0+18532+cbe6f646.noarch.rpm
nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

ppc64le:
nodejs-14.21.3-1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm
nodejs-debuginfo-14.21.3-1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm
nodejs-debugsource-14.21.3-1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm
nodejs-devel-14.21.3-1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm
nodejs-full-i18n-14.21.3-1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm
npm-6.14.18-1.14.21.3.1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm

s390x:
nodejs-14.21.3-1.module+el8.6.0+18532+cbe6f646.s390x.rpm
nodejs-debuginfo-14.21.3-1.module+el8.6.0+18532+cbe6f646.s390x.rpm
nodejs-debugsource-14.21.3-1.module+el8.6.0+18532+cbe6f646.s390x.rpm
nodejs-devel-14.21.3-1.module+el8.6.0+18532+cbe6f646.s390x.rpm
nodejs-full-i18n-14.21.3-1.module+el8.6.0+18532+cbe6f646.s390x.rpm
npm-6.14.18-1.14.21.3.1.module+el8.6.0+18532+cbe6f646.s390x.rpm

x86_64:
nodejs-14.21.3-1.module+el8.6.0+18532+cbe6f646.x86_64.rpm
nodejs-debuginfo-14.21.3-1.module+el8.6.0+18532+cbe6f646.x86_64.rpm
nodejs-debugsource-14.21.3-1.module+el8.6.0+18532+cbe6f646.x86_64.rpm
nodejs-devel-14.21.3-1.module+el8.6.0+18532+cbe6f646.x86_64.rpm
nodejs-full-i18n-14.21.3-1.module+el8.6.0+18532+cbe6f646.x86_64.rpm
npm-6.14.18-1.14.21.3.1.module+el8.6.0+18532+cbe6f646.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-35065
https://access.redhat.com/security/cve/CVE-2021-44531
https://access.redhat.com/security/cve/CVE-2021-44532
https://access.redhat.com/security/cve/CVE-2021-44533
https://access.redhat.com/security/cve/CVE-2021-44906
https://access.redhat.com/security/cve/CVE-2022-0235
https://access.redhat.com/security/cve/CVE-2022-3517
https://access.redhat.com/security/cve/CVE-2022-4904
https://access.redhat.com/security/cve/CVE-2022-21824
https://access.redhat.com/security/cve/CVE-2022-24999
https://access.redhat.com/security/cve/CVE-2022-25881
https://access.redhat.com/security/cve/CVE-2022-35256
https://access.redhat.com/security/cve/CVE-2022-38900
https://access.redhat.com/security/cve/CVE-2022-43548
https://access.redhat.com/security/cve/CVE-2023-23918
https://access.redhat.com/security/cve/CVE-2023-23920
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZDbdDNzjgjWX9erEAQh6+Q//bqiNs42lrhzraDJEqYSFG1/ZqUHi4Pvh
3kaXqIEuiDxXDqM3CSzUSyafdwZtyhPoOi/491FGPV6yfo5qTjLQ5qzWq6aTTZnw
Q0UC5bQiUOUSsgVupNeYzg84itvhHqDw1XREIo148J/ygOtFV1vC5axDRIgY5ZKF
jYp3WTVdvRBy98ReqLDb86Azc8L4HTNwGAxwlE4vsXYK0O9RxqVExUzXkpvck97e
CkMI20z58MGMrm3nx3d3iHbi/Y6cjgsMJvMk8/2EFqw+5bD+qdJ8KPb3CgqC9gVx
Ei6ks1AXRTF/hwbFAYDTrKXmQ/K5tT6CLNbwr1xp1/QshONSX2zaMRYu57HKkw7W
Z5fxj/mz0UCJGaP163QR2+3ddNFWrbtOYDi/QfAHQR1c3FmVk024xSCnPMlXxDww
Scb6y0D4TqbcKgvMoDW4kCZmlTby6C/83FiLsNExaonrsKJj9iEhTj8oCoM4Rrra
CGxzzwYE/ZrPphQn81jdAcNYB2G3+cZtD/AXvdJqhDfJzMRWljINivYm8p88IGMB
g1Rt2GQWaPucg00gWVuLCqtDZu/ElIhCcjsYRQd40oleNIcRkTx4QafKwfg+8TwS
AEzB5ewFKgqlb6VTRpm4nMgk8IASwmfTVFF+K0yYTPmopn4v7Xhg5OEBQc8cymxc
0KO+/4RXHVk=wJPD
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-1742:01 Important: nodejs:14 security, bug fix,

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support

Summary

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (14.21.3).
Security Fix(es):
* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531)
* nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532)
* nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533)
* minimist: prototype pollution (CVE-2021-44906)
* node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)
* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
* c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)
* express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999)
* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields (CVE-2022-35256)
* nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)
* Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)
* Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-35065 https://access.redhat.com/security/cve/CVE-2021-44531 https://access.redhat.com/security/cve/CVE-2021-44532 https://access.redhat.com/security/cve/CVE-2021-44533 https://access.redhat.com/security/cve/CVE-2021-44906 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-3517 https://access.redhat.com/security/cve/CVE-2022-4904 https://access.redhat.com/security/cve/CVE-2022-21824 https://access.redhat.com/security/cve/CVE-2022-24999 https://access.redhat.com/security/cve/CVE-2022-25881 https://access.redhat.com/security/cve/CVE-2022-35256 https://access.redhat.com/security/cve/CVE-2022-38900 https://access.redhat.com/security/cve/CVE-2022-43548 https://access.redhat.com/security/cve/CVE-2023-23918 https://access.redhat.com/security/cve/CVE-2023-23920 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Enterprise Linux AppStream EUS (v.8.6):
Source: nodejs-14.21.3-1.module+el8.6.0+18532+cbe6f646.src.rpm nodejs-nodemon-2.0.20-3.module+el8.6.0+18532+cbe6f646.src.rpm nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm
aarch64: nodejs-14.21.3-1.module+el8.6.0+18532+cbe6f646.aarch64.rpm nodejs-debuginfo-14.21.3-1.module+el8.6.0+18532+cbe6f646.aarch64.rpm nodejs-debugsource-14.21.3-1.module+el8.6.0+18532+cbe6f646.aarch64.rpm nodejs-devel-14.21.3-1.module+el8.6.0+18532+cbe6f646.aarch64.rpm nodejs-full-i18n-14.21.3-1.module+el8.6.0+18532+cbe6f646.aarch64.rpm npm-6.14.18-1.14.21.3.1.module+el8.6.0+18532+cbe6f646.aarch64.rpm
noarch: nodejs-docs-14.21.3-1.module+el8.6.0+18532+cbe6f646.noarch.rpm nodejs-nodemon-2.0.20-3.module+el8.6.0+18532+cbe6f646.noarch.rpm nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm
ppc64le: nodejs-14.21.3-1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm nodejs-debuginfo-14.21.3-1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm nodejs-debugsource-14.21.3-1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm nodejs-devel-14.21.3-1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm nodejs-full-i18n-14.21.3-1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm npm-6.14.18-1.14.21.3.1.module+el8.6.0+18532+cbe6f646.ppc64le.rpm
s390x: nodejs-14.21.3-1.module+el8.6.0+18532+cbe6f646.s390x.rpm nodejs-debuginfo-14.21.3-1.module+el8.6.0+18532+cbe6f646.s390x.rpm nodejs-debugsource-14.21.3-1.module+el8.6.0+18532+cbe6f646.s390x.rpm nodejs-devel-14.21.3-1.module+el8.6.0+18532+cbe6f646.s390x.rpm nodejs-full-i18n-14.21.3-1.module+el8.6.0+18532+cbe6f646.s390x.rpm npm-6.14.18-1.14.21.3.1.module+el8.6.0+18532+cbe6f646.s390x.rpm
x86_64: nodejs-14.21.3-1.module+el8.6.0+18532+cbe6f646.x86_64.rpm nodejs-debuginfo-14.21.3-1.module+el8.6.0+18532+cbe6f646.x86_64.rpm nodejs-debugsource-14.21.3-1.module+el8.6.0+18532+cbe6f646.x86_64.rpm nodejs-devel-14.21.3-1.module+el8.6.0+18532+cbe6f646.x86_64.rpm nodejs-full-i18n-14.21.3-1.module+el8.6.0+18532+cbe6f646.x86_64.rpm npm-6.14.18-1.14.21.3.1.module+el8.6.0+18532+cbe6f646.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2023:1742-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1742
Issued Date: : 2023-04-12
CVE Names: CVE-2021-35065 CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2021-44906 CVE-2022-0235 CVE-2022-3517 CVE-2022-4904 CVE-2022-21824 CVE-2022-24999 CVE-2022-25881 CVE-2022-35256 CVE-2022-38900 CVE-2022-43548 CVE-2023-23918 CVE-2023-23920

Topic

An update for the nodejs:14 module is now available for Red Hat EnterpriseLinux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64


Bugs Fixed

2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names

2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection

2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields

2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties

2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor

2066009 - CVE-2021-44906 minimist: prototype pollution

2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function

2140911 - CVE-2022-43548 nodejs: DNS rebinding in inspect via invalid octal IP address

2142822 - nodejs:14/nodejs: Rebase to the latest Nodejs 14 release [rhel-8] [rhel-8.6.0.z]

2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process

2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service

2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability

2168631 - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check

2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS

2171935 - CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.mainModule

2172217 - CVE-2023-23920 Node.js: insecure loading of ICU data through ICU_DATA environment variable

2175827 - nodejs:14/nodejs: Rebase to the latest Nodejs 14 release [rhel-8] [rhel-8.6.0.z]


Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved