rh-nodejs12-nodejs-12.18.2-1.el7
エラータID: AXSA:2020-219:03
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.18.2).
Security Fix(es):
* ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531)
* nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)
* nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)
* nodejs: TLS session reuse can lead to hostname verification bypass (CVE-2020-8172)
* nodejs: memory corruption in napi_get_value_string_* functions (CVE-2020-8174)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2020-10531
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
CVE-2020-7598
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2020-8172
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
CVE-2020-8174
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Update packages.
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
N/A
SRPMS
- rh-nodejs12-nodejs-12.18.2-1.el7.src.rpm
MD5: a32fc1e530526ed19f2358a1fda013c7
SHA-256: 4d6c025c98ba5c252dc746787cd1959818f08c3f609ca587ee97cede0743afa6
Size: 32.92 MB
Asianux Server 7 for x86_64
- rh-nodejs12-nodejs-12.18.2-1.el7.x86_64.rpm
MD5: 7bf1bcc6960cdcd488836d7970a20831
SHA-256: 7d0f75eb5c8268ad0e9af09d8d5fd4d1ed23b783cfbc184f24f12d16e4ac4da4
Size: 10.05 MB - rh-nodejs12-nodejs-devel-12.18.2-1.el7.x86_64.rpm
MD5: f2de316ca77036453a29e3e632bb8c5c
SHA-256: c6d41cd926559e7933e96d4ef9c8aa23777acf1cd5a81e0fad4d9355834fd16f
Size: 203.65 kB - rh-nodejs12-nodejs-docs-12.18.2-1.el7.noarch.rpm
MD5: cd6f8c4d4a77c4e8770ad3eb5e2150e7
SHA-256: 337759bb4a0afa51e30d921762993bb9445248ec7fb0cd87de37a9cada291750
Size: 3.98 MB - rh-nodejs12-npm-6.14.5-12.18.2.1.el7.x86_64.rpm
MD5: a60e149e6927b81b2f5027e7e6b41ea8
SHA-256: b6e8320226d4bdcbdd0fbd254c6a65d010923f9283ec489f0a1abf834b0382ca
Size: 4.17 MB