Explore top 10 tips to secure your open-source projects now. Read More
×
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version:
nodejs (16.19.1), nodejs-nodemon (2.0.20).
Security Fix(es):
* c-ares: buffer overflow in config_sortlist() due to missing string length
check (CVE-2022-4904)
* http-cache-semantics: Regular Expression Denial of Service (ReDoS)
vulnerability (CVE-2022-25881)
* Node.js: Permissions policies can be bypassed via process.mainModule
(CVE-2023-23918)
* Node.js: Fetch API did not protect against CRLF injection in host headers(CVE-2023-23936)
* Node.js: insecure loading of ICU data through ICU_DATA environment
variable (CVE-2023-23920)
* Node.js: Regular Expression Denial of Service in Headers fetch API
(CVE-2023-24807)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
https://access.redhat.com/security/cve/CVE-2022-4904 https://access.redhat.com/security/cve/CVE-2022-25881 https://access.redhat.com/security/cve/CVE-2023-23918 https://access.redhat.com/security/cve/CVE-2023-23920 https://access.redhat.com/security/cve/CVE-2023-23936 https://access.redhat.com/security/cve/CVE-2023-24807 https://access.redhat.com/security/updates/classification/#moderate
Red Hat Enterprise Linux AppStream (v. 9):
Source:
nodejs-16.19.1-1.el9_2.src.rpm
nodejs-nodemon-2.0.20-3.el9_2.src.rpm
aarch64:
nodejs-16.19.1-1.el9_2.aarch64.rpm
nodejs-debuginfo-16.19.1-1.el9_2.aarch64.rpm
nodejs-debugsource-16.19.1-1.el9_2.aarch64.rpm
nodejs-full-i18n-16.19.1-1.el9_2.aarch64.rpm
nodejs-libs-16.19.1-1.el9_2.aarch64.rpm
nodejs-libs-debuginfo-16.19.1-1.el9_2.aarch64.rpm
npm-8.19.3-1.16.19.1.1.el9_2.aarch64.rpm
noarch:
nodejs-docs-16.19.1-1.el9_2.noarch.rpm
nodejs-nodemon-2.0.20-3.el9_2.noarch.rpm
ppc64le:
nodejs-16.19.1-1.el9_2.ppc64le.rpm
nodejs-debuginfo-16.19.1-1.el9_2.ppc64le.rpm
nodejs-debugsource-16.19.1-1.el9_2.ppc64le.rpm
nodejs-full-i18n-16.19.1-1.el9_2.ppc64le.rpm
nodejs-libs-16.19.1-1.el9_2.ppc64le.rpm
nodejs-libs-debuginfo-16.19.1-1.el9_2.ppc64le.rpm
npm-8.19.3-1.16.19.1.1.el9_2.ppc64le.rpm
s390x:
nodejs-16.19.1-1.el9_2.s390x.rpm
nodejs-debuginfo-16.19.1-1.el9_2.s390x.rpm
nodejs-debugsource-16.19.1-1.el9_2.s390x.rpm
nodejs-full-i18n-16.19.1-1.el9_2.s390x.rpm
nodejs-libs-16.19.1-1.el9_2.s390x.rpm
nodejs-libs-debuginfo-16.19.1-1.el9_2.s390x.rpm
npm-8.19.3-1.16.19.1.1.el9_2.s390x.rpm
x86_64:
nodejs-16.19.1-1.el9_2.x86_64.rpm
nodejs-debuginfo-16.19.1-1.el9_2.i686.rpm
nodejs-debuginfo-16.19.1-1.el9_2.x86_64.rpm
Read the Full Advisory
An update for nodejs and nodejs-nodemon is now available for Red HatEnterprise Linux 9.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
2168631 - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check
2171935 - CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.mainModule
2172190 - CVE-2023-23936 Node.js: Fetch API did not protect against CRLF injection in host headers2172204 - CVE-2023-24807 Node.js: Regular Expression Denial of Service in Headers fetch API
2172217 - CVE-2023-23920 Node.js: insecure loading of ICU data through ICU_DATA environment variable
2178076 - nodejs: Rebase to the latest Nodejs 16 release [rhel-9] [rhel-9.2.0.z]
Get the latest Linux and open source security news straight to your inbox.