rh-nodejs8-nodejs-8.17.0-2.el7
エラータID: AXSA:2020-200:01
An update for rh-nodejs8-nodejs is now available for Asianux Software Collections.
Asianux Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: rh-nodejs8-nodejs (8.17.0).
Security Fix(es):
* nodejs-brace-expansion: Regular expression denial of service (CVE-2017-18077)
* nodejs-chownr: TOCTOU vulnerability in `chownr` function in chownr.js (CVE-2017-18869)
* nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js (CVE-2018-3737)
* nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-3750)
* npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775)
* npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776)
* npm: Global node_modules Binary Overwrite (CVE-2019-16777)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2017-18077
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
CVE-2017-18869
A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
CVE-2018-3737
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
CVE-2018-3750
The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
CVE-2019-16775
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVE-2019-16776
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
CVE-2019-16777
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Update packages.
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
N/A
SRPMS
- rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm
MD5: ce945e118725c11cf511a4f4d84ac734
SHA-256: 668d2631a5d91281c00f83bcc07014136f9e36eddf558582f72d6fbee112abd8
Size: 25.41 MB
Asianux Server 7 for x86_64
- rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm
MD5: c941fddbb1c9bad7f77579436e60e892
SHA-256: 455485d7fc1bdc903a63b06dbb643ce2965a0216adbd9516caca7d49086ca4d3
Size: 7.29 MB - rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm
MD5: 72282d79b784637cc3696452a83921a5
SHA-256: 2a681962d0fb244f9cc7fbbe8ccf205396c6b41f3ac0cec8e3b1632a09cbaf6a
Size: 8.92 MB - rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm
MD5: f91159e6e7b7d90d3941c57143b27d50
SHA-256: 83cfac6cdb2ebab02a83f64582832050982b6fddc31a37c30ef584ef0484909b
Size: 2.66 MB - rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm
MD5: 08296a8cfeab401866814715cd49a8d4
SHA-256: 730ae7fd320416913768d195e61705fd287104e66c7238939cf6baaaf0d2d144
Size: 4.74 MB