Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 579
Alerts This Week
Warning Icon 1 579

Red Hat 9 RHSA-2023-2655-01 Moderate Nodejs Nodemon Security Issue

red hat
Calendar Grey May 9, 2023
Dist Redhat Esm H88
This advisory highlights critical vulnerabilities in Node.js and nodemon, urging users to apply key patches for enhanced application security
An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (16.19.1), nodejs-nodemon (2.0.20).
Security Fix(es):
* c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)
* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
* Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
* Node.js: Fetch API did not protect against CRLF injection in host headers(CVE-2023-23936)
* Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)
* Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

https://access.redhat.com/security/cve/CVE-2022-4904 https://access.redhat.com/security/cve/CVE-2022-25881 https://access.redhat.com/security/cve/CVE-2023-23918 https://access.redhat.com/security/cve/CVE-2023-23920 https://access.redhat.com/security/cve/CVE-2023-23936 https://access.redhat.com/security/cve/CVE-2023-24807 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat Enterprise Linux AppStream (v. 9):
Source: nodejs-16.19.1-1.el9_2.src.rpm nodejs-nodemon-2.0.20-3.el9_2.src.rpm
aarch64: nodejs-16.19.1-1.el9_2.aarch64.rpm nodejs-debuginfo-16.19.1-1.el9_2.aarch64.rpm nodejs-debugsource-16.19.1-1.el9_2.aarch64.rpm nodejs-full-i18n-16.19.1-1.el9_2.aarch64.rpm nodejs-libs-16.19.1-1.el9_2.aarch64.rpm nodejs-libs-debuginfo-16.19.1-1.el9_2.aarch64.rpm npm-8.19.3-1.16.19.1.1.el9_2.aarch64.rpm
noarch: nodejs-docs-16.19.1-1.el9_2.noarch.rpm nodejs-nodemon-2.0.20-3.el9_2.noarch.rpm
ppc64le: nodejs-16.19.1-1.el9_2.ppc64le.rpm nodejs-debuginfo-16.19.1-1.el9_2.ppc64le.rpm nodejs-debugsource-16.19.1-1.el9_2.ppc64le.rpm nodejs-full-i18n-16.19.1-1.el9_2.ppc64le.rpm nodejs-libs-16.19.1-1.el9_2.ppc64le.rpm nodejs-libs-debuginfo-16.19.1-1.el9_2.ppc64le.rpm npm-8.19.3-1.16.19.1.1.el9_2.ppc64le.rpm
s390x: nodejs-16.19.1-1.el9_2.s390x.rpm nodejs-debuginfo-16.19.1-1.el9_2.s390x.rpm nodejs-debugsource-16.19.1-1.el9_2.s390x.rpm nodejs-full-i18n-16.19.1-1.el9_2.s390x.rpm nodejs-libs-16.19.1-1.el9_2.s390x.rpm nodejs-libs-debuginfo-16.19.1-1.el9_2.s390x.rpm npm-8.19.3-1.16.19.1.1.el9_2.s390x.rpm
x86_64: nodejs-16.19.1-1.el9_2.x86_64.rpm nodejs-debuginfo-16.19.1-1.el9_2.i686.rpm nodejs-debuginfo-16.19.1-1.el9_2.x86_64.rpm

Read the Full Advisory


Advisory ID: RHSA-2023:2655-01
Product: Red Hat Enterprise Linux
Issue date: 2023-05-09

Topic

An update for nodejs and nodejs-nodemon is now available for Red HatEnterprise Linux 9.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability

2168631 - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check

2171935 - CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.mainModule

2172190 - CVE-2023-23936 Node.js: Fetch API did not protect against CRLF injection in host headers2172204 - CVE-2023-24807 Node.js: Regular Expression Denial of Service in Headers fetch API

2172217 - CVE-2023-23920 Node.js: insecure loading of ICU data through ICU_DATA environment variable

2178076 - nodejs: Rebase to the latest Nodejs 16 release [rhel-9] [rhel-9.2.0.z]

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.