nodejs:12 security and bug fix update

エラータID: AXSA:2020-792:01

Release date: 
Monday, October 26, 2020 - 06:36
Subject: 
nodejs:12 security and bug fix update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs
(12.18.4).

Security Fix(es):
nodejs-dot-prop: prototype pollution (CVE-2020-8116)
nodejs: HTTP request smuggling due to CR-to-Hyphen conversion (CVE-2020-8201)
npm: Sensitive information exposure through logs (CVE-2020-15095)
libuv: buffer overflow in realpath (CVE-2020-8252)

nghttp2: overly large SETTINGS frames can lead to DoS (CVE-2020-11080)
nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)
nodejs: TLS session reuse can lead to hostname verification bypass (CVE-2020-8172)
nodejs: memory corruption in napi_get_value_string_* functions (CVE-2020-8174)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Bug Fix(es):
The nodejs:12/development module is not installable

CVEs:
CVE-2020-7598
CVE-2020-8116
CVE-2020-8172
CVE-2020-8174
CVE-2020-8201
CVE-2020-8252
CVE-2020-15095
CVE-2020-11080

Modularity name: nodejs
Stream name: 12

Solution: 

Update packages.

CVEs: 
CVE-2020-15095
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
CVE-2020-8116
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
CVE-2020-8201
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.
CVE-2020-8252
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
CVE-2020-8172
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
CVE-2020-8174
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
CVE-2020-7598
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-1.18.3-1.module+el8+132+1cd968c0.src.rpm
    MD5: acbf257cc7e07af61ed904f98bac15b2
    SHA-256: 7837a84681400a28f637121918e65d1470ed5de1750939844539dd4e0f0dfc36
    Size: 1.35 MB
  2. nodejs-packaging-17-3.module+el8+132+1cd968c0.src.rpm
    MD5: 8fb55e6e1a0d13fdf8a92a84b7c1b566
    SHA-256: 496e4ab95dafb1fb923c4abf1a09bd96ce78db185da48a8803f57ff4d517a9c0
    Size: 20.66 kB
  3. nodejs-12.18.4-2.module+el8+132+1cd968c0.src.rpm
    MD5: 1d7aec04068c2ee422ed7bcbdcca8e25
    SHA-256: a1022d73e03212f64eb8be93fee91ea686018c4a2a7e1a5c8f708c34e4ab063f
    Size: 55.00 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-1.18.3-1.module+el8+132+1cd968c0.noarch.rpm
    MD5: 4de418d0e4684d3c44ea5a0d297dece1
    SHA-256: 871c96c685bbf23a190e35b0b6f1abd886c871bd953fe7881bc2b8f3a57e743b
    Size: 963.32 kB
  2. nodejs-packaging-17-3.module+el8+132+1cd968c0.noarch.rpm
    MD5: 5158b2f6c6bb9797a47a26b3ed406bd9
    SHA-256: 88164ebf2746649304cab6b7793293045c4acffb829f688f762992ae9b3a7e1f
    Size: 18.43 kB
  3. nodejs-12.18.4-2.module+el8+132+1cd968c0.x86_64.rpm
    MD5: 43ea09045d6c844f05b0dec5fe69a101
    SHA-256: d64bd45a58efcb126da4b0d4b0af933db573d9ac1e50ad280942b9f9e22415ff
    Size: 10.30 MB
  4. nodejs-devel-12.18.4-2.module+el8+132+1cd968c0.x86_64.rpm
    MD5: efffd9d3fb5cb2567be6625be03efa39
    SHA-256: 967e45e968e93241824505df69f32135ff5224006a33dacaaf7c017a793a9887
    Size: 172.18 kB
  5. nodejs-docs-12.18.4-2.module+el8+132+1cd968c0.noarch.rpm
    MD5: 1221bff22b2e595d33f53e51bbb9e643
    SHA-256: b2f086cd6ac099d7f936c31101b0846f8ba1a5d26805a139a39d29df4ac8b837
    Size: 3.99 MB
  6. nodejs-full-i18n-12.18.4-2.module+el8+132+1cd968c0.x86_64.rpm
    MD5: e60e4cd4b029d40fc3e20c3a9f215165
    SHA-256: b081a1957f84615ea8414e166f9e1e77007c81990fac92b74822601d3b7298c2
    Size: 7.49 MB
  7. npm-6.14.6-1.12.18.4.2.module+el8+132+1cd968c0.x86_64.rpm
    MD5: de533cfa0e1d96e1800003dc995fa8ed
    SHA-256: fddd3d2dcb865689e83dc094d863560c24189c83619c93875206a5183976a735
    Size: 3.83 MB