rh-nodejs10-nodejs-10.21.0-3.el7

エラータID: AXSA:2020-228:02

Release date: 
Wednesday, July 22, 2020 - 06:37
Subject: 
rh-nodejs10-nodejs-10.21.0-3.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs10-nodejs (10.21.0).

Security Fix(es):

* ICU: Integer overflow in UnicodeString::doAppend() (CVE-2020-10531)

* nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)

* nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)

* nodejs: memory corruption in napi_get_value_string_* functions (CVE-2020-8174)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-10531
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
CVE-2020-7598
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2020-8174
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. rh-nodejs10-nodejs-10.21.0-3.el7.src.rpm
    MD5: 79eb92b728a470701796fd109f69af7e
    SHA-256: 04f1cdaace3a78236156fd7024f81ed4af60fa1b3a39038ed03591b313c24265
    Size: 28.83 MB

Asianux Server 7 for x86_64
  1. rh-nodejs10-nodejs-10.21.0-3.el7.x86_64.rpm
    MD5: 3439560b14ccb1f00ba1d961d96e2d3b
    SHA-256: 816468a4d6d9992f0c1369affa07812bb8ea32e32a8d2640fc5ce4719c9166c4
    Size: 8.60 MB
  2. rh-nodejs10-nodejs-devel-10.21.0-3.el7.x86_64.rpm
    MD5: 93c2cd6e38a8aa21626e6aae863566d2
    SHA-256: 516a5b423fdc1ff44a10da7bd5745c627a106d6e839a85a673ba548eb8035896
    Size: 193.43 kB
  3. rh-nodejs10-nodejs-docs-10.21.0-3.el7.noarch.rpm
    MD5: 8835e01cae96c1e7c81b0f3def38f3b8
    SHA-256: a3bf832febb288e96028a537b2e1bf753f34e55f108cc353c8b59e3bbc81918a
    Size: 3.50 MB
  4. rh-nodejs10-npm-6.14.4-10.21.0.3.el7.x86_64.rpm
    MD5: a204852af88382a97c6e79f0a0571429
    SHA-256: 6d30bf9a95fa9dda1bf6910b46b5d164388c182b9fb73e89f9499dbd5bf4000b
    Size: 4.17 MB