nodejs:10 security update

エラータID: AXSA:2020-760:01

Release date: 
Monday, October 19, 2020 - 23:38
Subject: 
nodejs:10 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs
(10.21.0).

Security Fix(es):

* nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)
nodejs-minimist: prototype pollution allows adding or modifying properties
of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)
* nodejs: memory corruption in napi_get_value_string_* functions (CVE-2020-8174)

CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
CVE-2020-7598
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2020-8174
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.

Modularity name: nodejs
Stream name: 10

Solution: 

Update packages.

CVEs: 
CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
CVE-2020-7598
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2020-8174
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-10.21.0-3.module+el8+126+22195e33.src.rpm
    MD5: f0fcdeab0fe4b8d34a7d09820fd8131e
    SHA-256: aec7d60714f7945d6dc22aac77d64fff7a1b0870d8676c2a1d39a66d244ee97a
    Size: 50.45 MB

Asianux Server 8 for x86_64
  1. nodejs-10.21.0-3.module+el8+126+22195e33.x86_64.rpm
    MD5: e170c9f65465732333e0510d479ad894
    SHA-256: 593bbacf510f33d2165eee4e30cfec28e175be8ac324f7ed5e2e3ef2cb78ef36
    Size: 8.85 MB
  2. nodejs-devel-10.21.0-3.module+el8+126+22195e33.x86_64.rpm
    MD5: 102b678cbbd7bbd6a62714ab4cf56398
    SHA-256: ed86b5afbac4235612aef5bfaae945db0f42f9b040b7b0108d3fdab1fc5a80b9
    Size: 161.96 kB
  3. nodejs-docs-10.21.0-3.module+el8+126+22195e33.noarch.rpm
    MD5: 039d7e4f1b55e9542592fc079bae0349
    SHA-256: 237d6c9191fefd1e461dc6209294c32c88e53a09c9f2f4bad2b303a3c15d25f4
    Size: 3.49 MB
  4. npm-6.14.4-1.10.21.0.3.module+el8+126+22195e33.x86_64.rpm
    MD5: 7ccdc2fb954f80f9cf9f243cf2a11a00
    SHA-256: 2732790e1e21472dd076e4399b2c2e1b56ce638bbf63d6bc88265134523f39ce
    Size: 3.83 MB
  5. nodejs-full-i18n-10.21.0-3.module+el8+126+22195e33.x86_64.rpm
    MD5: e1ef3c22d403531489fbbfaf06b5c2b8
    SHA-256: 33ecb269438ac5797132d27bfda7f8e7887cb0ea490945f46ed1e34f07f9a78c
    Size: 7.29 MB