Release date: 
Thursday, February 18, 2021 - 03:38
nodejs:12 security update
Affected Channels: 
Asianux Server 8 for x86_64

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (12.20.1), nodejs-nodemon (2.0.3).

Security Fix(es):

* nodejs-mixin-deep: prototype pollution in function mixin-deep (CVE-2019-10746)

* nodejs-set-value: prototype pollution in function set-value (CVE-2019-10747)

* nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)

* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)

* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)

* nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

* c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277)

* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true

Modularity name: nodejs
Stream name: 12


Update packages.

Additional Info: 



  1. nodejs-nodemon-2.0.3-1.module+el8+1184+e1f89a2b.src.rpm
    MD5: 8f6928f771ac26d0ac401aa3b67735aa
    SHA-256: cfb87056049eaa2339be5ac6246627a11b6de115999a8e9c08454576a3a091f7
    Size: 1.15 MB
  2. nodejs-packaging-17-3.module+el8+1184+e1f89a2b.src.rpm
    MD5: 55a8b228bf8e83100bc34aae26a6eea0
    SHA-256: 7f2b00d5804cfe81fa55d324f4d4639795c56f63458ca07bd4cef9009abe5764
    Size: 20.66 kB
  3. nodejs-12.20.1-1.module+el8+1184+e1f89a2b.src.rpm
    MD5: e9f27692f2f255b83fcfc8b250849181
    SHA-256: 58cb94b147f9872186d6f95c99bedbc6bfa3d44dfa1b561942287719b79656b4
    Size: 55.76 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-2.0.3-1.module+el8+1184+e1f89a2b.noarch.rpm
    MD5: a851b3d26ddf2d515d610b4d267ab073
    SHA-256: ce3f26dc8875c1c089c8f4997f7592877a12e125307a0cd5d7573cb657817871
    Size: 807.00 kB
  2. nodejs-packaging-17-3.module+el8+1184+e1f89a2b.noarch.rpm
    MD5: 8cc5861cdfd95d082d45961fae39b7a8
    SHA-256: 636ba9d03b9181b2455cacac9a298641cf21a46e87a12359b113d59664583563
    Size: 18.43 kB
  3. nodejs-12.20.1-1.module+el8+1184+e1f89a2b.x86_64.rpm
    MD5: cf8492098ca6549c0b310455c8f432b5
    SHA-256: 7e9e85dc960a355c4b7ff71a3f43e9df973ba5350a4174493177d37afc358979
    Size: 10.12 MB
  4. nodejs-debugsource-12.20.1-1.module+el8+1184+e1f89a2b.x86_64.rpm
    MD5: 8d7e2cf7e7935c2b2667fabe6fe9c72e
    SHA-256: 1f75d12490ca76a1777200d29394da2daa9c97ee9b931cba582c78ba8b9823eb
    Size: 10.34 MB
  5. nodejs-devel-12.20.1-1.module+el8+1184+e1f89a2b.x86_64.rpm
    MD5: e16c34cb590e7708cf04f2b54ce0195e
    SHA-256: bde9cb0fb7b3dab2c1ef081a09cf0c22b38f92d8b09fb534f7ed9cd03accd921
    Size: 174.75 kB
  6. nodejs-docs-12.20.1-1.module+el8+1184+e1f89a2b.noarch.rpm
    MD5: 49424b0050c69e506d5b55aa665bad4f
    SHA-256: 8577d2237492079c745baede73c9c50a8868f1fa2d66295d5d8e308273624062
    Size: 4.09 MB
  7. nodejs-full-i18n-12.20.1-1.module+el8+1184+e1f89a2b.x86_64.rpm
    MD5: 9a9bba0c3788e4eb8303fb0fd1648842
    SHA-256: 522147aafdfc95254c940368940b3f9394fc65bdd0e7e2be29eed21fbe47abbe
    Size: 7.49 MB
  8. npm-6.14.10-
    MD5: 514fe5860bcf2390ef802798c975fc1a
    SHA-256: 96201bbfc09a1b9f3cbe17083940a6cb9e01f0f02fd51569be92391ccca346ec
    Size: 3.67 MB
Copyright© 2007-2015 Asianux. All rights reserved.