Red Hat Enterprise Linux 9.0: RHSA-2023-4036-01 Important Node.js Update
Jul 12, 2023
•
LinuxSecurity Advisories
3 - 5 min read
An update for nodejs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
==================================================================== Red Hat Security Advisory
Synopsis: Important: nodejs security update
Advisory ID: RHSA-2023:4036-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4036
Issue date: 2023-07-12
CVE Names: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147
CVE-2023-32067
====================================================================
1. Summary:
An update for nodejs is now available for Red Hat Enterprise Linux 9.0
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
Security Fix(es):
* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)
* c-ares: Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)
* c-ares: Insufficient randomness in generation of DNS query IDs
(CVE-2023-31147)
* c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation
(CVE-2023-31124)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2209494 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation
2209497 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton()
2209501 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs
2209502 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service
6. Package List:
Red Hat Enterprise Linux AppStream EUS (v.9.0):
Source:
nodejs-16.18.1-4.el9_0.src.rpm
aarch64:
nodejs-16.18.1-4.el9_0.aarch64.rpm
nodejs-debuginfo-16.18.1-4.el9_0.aarch64.rpm
nodejs-debugsource-16.18.1-4.el9_0.aarch64.rpm
nodejs-full-i18n-16.18.1-4.el9_0.aarch64.rpm
nodejs-libs-16.18.1-4.el9_0.aarch64.rpm
nodejs-libs-debuginfo-16.18.1-4.el9_0.aarch64.rpm
npm-8.19.2-1.16.18.1.4.el9_0.aarch64.rpm
noarch:
nodejs-docs-16.18.1-4.el9_0.noarch.rpm
ppc64le:
nodejs-16.18.1-4.el9_0.ppc64le.rpm
nodejs-debuginfo-16.18.1-4.el9_0.ppc64le.rpm
nodejs-debugsource-16.18.1-4.el9_0.ppc64le.rpm
nodejs-full-i18n-16.18.1-4.el9_0.ppc64le.rpm
nodejs-libs-16.18.1-4.el9_0.ppc64le.rpm
nodejs-libs-debuginfo-16.18.1-4.el9_0.ppc64le.rpm
npm-8.19.2-1.16.18.1.4.el9_0.ppc64le.rpm
s390x:
nodejs-16.18.1-4.el9_0.s390x.rpm
nodejs-debuginfo-16.18.1-4.el9_0.s390x.rpm
nodejs-debugsource-16.18.1-4.el9_0.s390x.rpm
nodejs-full-i18n-16.18.1-4.el9_0.s390x.rpm
nodejs-libs-16.18.1-4.el9_0.s390x.rpm
nodejs-libs-debuginfo-16.18.1-4.el9_0.s390x.rpm
npm-8.19.2-1.16.18.1.4.el9_0.s390x.rpm
x86_64:
nodejs-16.18.1-4.el9_0.x86_64.rpm
nodejs-debuginfo-16.18.1-4.el9_0.i686.rpm
nodejs-debuginfo-16.18.1-4.el9_0.x86_64.rpm
nodejs-debugsource-16.18.1-4.el9_0.i686.rpm
nodejs-debugsource-16.18.1-4.el9_0.x86_64.rpm
nodejs-full-i18n-16.18.1-4.el9_0.x86_64.rpm
nodejs-libs-16.18.1-4.el9_0.i686.rpm
nodejs-libs-16.18.1-4.el9_0.x86_64.rpm
nodejs-libs-debuginfo-16.18.1-4.el9_0.i686.rpm
nodejs-libs-debuginfo-16.18.1-4.el9_0.x86_64.rpm
npm-8.19.2-1.16.18.1.4.el9_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key
7. References:
https://access.redhat.com/security/cve/CVE-2023-31124
https://access.redhat.com/security/cve/CVE-2023-31130
https://access.redhat.com/security/cve/CVE-2023-31147
https://access.redhat.com/security/cve/CVE-2023-32067
https://access.redhat.com/security/updates/classification#important
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJkrqy8AAoJENzjgjWX9erEKJ8QAJxKxAA+Y+Pv8URTAy4Q9Hby
E+tojNCd1nX9i1+8CWk62BDjYUujxE4URawpZi5XhLY4DvNYxlkExR6VouoKumno
fJoBiAAPsjLnNfUECQpSrwfwmdB6b8q0LQQGNYIuKXdKYW/udBddDtXVrlCFjAsK
FCQbBL4/a/TWnT7AXU513p845+d8zeGQ6gEw4mstTbnGsg/jj69h6H7TYdsW1Eq3
BnF/0GtDyiNKv3GgvWuXe8WQili1kYTZLDUnsm2onljuGJzQGxrmXkR8GZ/131+6
oFB0exQWwyru5kUu76LFSDjyABpsd4rP2Jjdk7x4nlrmIEvxqzRgW+dF43Ucvxau
RiDltNUnSuEI1yoT11Safd2qojfRA7PCl6D28cUG0fgVIzhqlWGIOvNkhBp05wS0
gmuAL15WJzF+9o77/ZPqbWjB6xDYRgHrKtMYLHRCdrPSCu5ErafLggggUi60D1yq
WCioRmMjBtuklklb/z8g+E7XrCSXff4usCDldJc7IhikQc2IKpkkGi44M6ELntdI
ujOhsZjH0bmW6wz88RKEigCT6icHrwX3uElUYdj56WLwB8NKDmUgn11WijbTg7+T
/arXJ7L93JuaJ9v9OR4+AO2jx5cME/vMtXaFhJzXhuMx2RTiXdNSCQG9Yh/FeO5v
1OyLwi0IsLapSJL6mjTN
=0cqs
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.
PREVIOUS
NEXT
Red Hat Enterprise Linux 9.0: RHSA-2023-4036-01 Important Node.js Update
red hat
July 12, 2023
An update for nodejs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Summary
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
Security Fix(es):
* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)
* c-ares: Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)
* c-ares: Insufficient randomness in generation of DNS query IDs
(CVE-2023-31147)
* c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation
(CVE-2023-31124)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
References
https://access.redhat.com/security/cve/CVE-2023-31124 https://access.redhat.com/security/cve/CVE-2023-31130 https://access.redhat.com/security/cve/CVE-2023-31147 https://access.redhat.com/security/cve/CVE-2023-32067 https://access.redhat.com/security/updates/classification#important
Package List
Red Hat Enterprise Linux AppStream EUS (v.9.0):
Source:
nodejs-16.18.1-4.el9_0.src.rpm
aarch64:
nodejs-16.18.1-4.el9_0.aarch64.rpm
nodejs-debuginfo-16.18.1-4.el9_0.aarch64.rpm
nodejs-debugsource-16.18.1-4.el9_0.aarch64.rpm
nodejs-full-i18n-16.18.1-4.el9_0.aarch64.rpm
nodejs-libs-16.18.1-4.el9_0.aarch64.rpm
nodejs-libs-debuginfo-16.18.1-4.el9_0.aarch64.rpm
npm-8.19.2-1.16.18.1.4.el9_0.aarch64.rpm
noarch:
nodejs-docs-16.18.1-4.el9_0.noarch.rpm
ppc64le:
nodejs-16.18.1-4.el9_0.ppc64le.rpm
nodejs-debuginfo-16.18.1-4.el9_0.ppc64le.rpm
nodejs-debugsource-16.18.1-4.el9_0.ppc64le.rpm
nodejs-full-i18n-16.18.1-4.el9_0.ppc64le.rpm
nodejs-libs-16.18.1-4.el9_0.ppc64le.rpm
nodejs-libs-debuginfo-16.18.1-4.el9_0.ppc64le.rpm
npm-8.19.2-1.16.18.1.4.el9_0.ppc64le.rpm
s390x:
nodejs-16.18.1-4.el9_0.s390x.rpm
nodejs-debuginfo-16.18.1-4.el9_0.s390x.rpm
nodejs-debugsource-16.18.1-4.el9_0.s390x.rpm
nodejs-full-i18n-16.18.1-4.el9_0.s390x.rpm
nodejs-libs-16.18.1-4.el9_0.s390x.rpm
nodejs-libs-debuginfo-16.18.1-4.el9_0.s390x.rpm
npm-8.19.2-1.16.18.1.4.el9_0.s390x.rpm
x86_64:
nodejs-16.18.1-4.el9_0.x86_64.rpm
nodejs-debuginfo-16.18.1-4.el9_0.i686.rpm
nodejs-debuginfo-16.18.1-4.el9_0.x86_64.rpm
nodejs-debugsource-16.18.1-4.el9_0.i686.rpm
nodejs-debugsource-16.18.1-4.el9_0.x86_64.rpm
Read the Full Advisory
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2023:4036-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4036
Issue date: 2023-07-12
Topic
An update for nodejs is now available for Red Hat Enterprise Linux 9.0Extended Update Support.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Relevant Releases Architectures
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64
Bugs Fixed
2209494 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation
2209497 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton()
2209501 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs
2209502 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!