rh-nodejs12-nodejs-12.18.2-1.el7

エラータID: AXSA:2020-219:03

Release date: 
Tuesday, July 14, 2020 - 10:54
Subject: 
rh-nodejs12-nodejs-12.18.2-1.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.18.2).

Security Fix(es):

* ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531)

* nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)

* nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)

* nodejs: TLS session reuse can lead to hostname verification bypass (CVE-2020-8172)

* nodejs: memory corruption in napi_get_value_string_* functions (CVE-2020-8174)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-10531
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
CVE-2020-7598
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2020-8172
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
CVE-2020-8174
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2020-10531
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
CVE-2020-7598
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2020-8172
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
CVE-2020-8174
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Additional Info: 

N/A

Download: 

SRPMS
  1. rh-nodejs12-nodejs-12.18.2-1.el7.src.rpm
    MD5: a32fc1e530526ed19f2358a1fda013c7
    SHA-256: 4d6c025c98ba5c252dc746787cd1959818f08c3f609ca587ee97cede0743afa6
    Size: 32.92 MB

Asianux Server 7 for x86_64
  1. rh-nodejs12-nodejs-12.18.2-1.el7.x86_64.rpm
    MD5: 7bf1bcc6960cdcd488836d7970a20831
    SHA-256: 7d0f75eb5c8268ad0e9af09d8d5fd4d1ed23b783cfbc184f24f12d16e4ac4da4
    Size: 10.05 MB
  2. rh-nodejs12-nodejs-devel-12.18.2-1.el7.x86_64.rpm
    MD5: f2de316ca77036453a29e3e632bb8c5c
    SHA-256: c6d41cd926559e7933e96d4ef9c8aa23777acf1cd5a81e0fad4d9355834fd16f
    Size: 203.65 kB
  3. rh-nodejs12-nodejs-docs-12.18.2-1.el7.noarch.rpm
    MD5: cd6f8c4d4a77c4e8770ad3eb5e2150e7
    SHA-256: 337759bb4a0afa51e30d921762993bb9445248ec7fb0cd87de37a9cada291750
    Size: 3.98 MB
  4. rh-nodejs12-npm-6.14.5-12.18.2.1.el7.x86_64.rpm
    MD5: a60e149e6927b81b2f5027e7e6b41ea8
    SHA-256: b6e8320226d4bdcbdd0fbd254c6a65d010923f9283ec489f0a1abf834b0382ca
    Size: 4.17 MB