nodejs:10 security update

エラータID: AXSA:2021-1501:01

Release date: 
Thursday, February 18, 2021 - 13:14
Subject: 
nodejs:10 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (10.23.1).

Security Fix(es):

* libuv: buffer overflow in realpath (CVE-2020-8252)

* nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)

* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)

* nodejs-dot-prop: prototype pollution (CVE-2020-8116)

* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)

* npm: sensitive information exposure through logs (CVE-2020-15095)

* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

* nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-15095
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
CVE-2020-15366
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
CVE-2020-7608
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.
CVE-2020-7754
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVE-2020-7774
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
CVE-2020-7788
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2020-8116
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
CVE-2020-8252
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
CVE-2020-8265
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
CVE-2020-8287
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Modularity name: nodejs
Stream name: 10

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-1.18.3-1.module+el8+1186+790d17e4.src.rpm
    MD5: d6568b0b137e45064c8a877fe5fcf00a
    SHA-256: dc18f034a5924b257d6b7f823a8baeb4bb9fcfabd5ef694d12461e7c10fa37fe
    Size: 1.35 MB
  2. nodejs-packaging-17-3.module+el8+1186+790d17e4.src.rpm
    MD5: a03713f3e49a3d12795118e8ebf24909
    SHA-256: cdfc600f0f79a403d8754b80e75b647d2d6f6dfbd25174d50ebd274972ed90ff
    Size: 20.66 kB
  3. nodejs-10.23.1-1.module+el8+1186+790d17e4.src.rpm
    MD5: 93e8a67e70ae51aa448fbcc83e37e6c6
    SHA-256: f6d6f0e7cbfacca609a2476c64d9664a3a3e34711cccfe97f690ebfb470c800c
    Size: 50.13 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-1.18.3-1.module+el8+1186+790d17e4.noarch.rpm
    MD5: ff37deb1f085b9d0338a0e45a4eecc72
    SHA-256: 7913bf93ccaa7bf78596f9a7aaeb79e392c2fa7c62125b36209afb06bb86c3fa
    Size: 963.33 kB
  2. nodejs-packaging-17-3.module+el8+1186+790d17e4.noarch.rpm
    MD5: ac3b85e56b6df4d096a532c5ff4448a7
    SHA-256: d7fb256b70ff47ebffff74dba1ab9b41fcbc05f4fb97588e4cd2e3d5442e1f3f
    Size: 18.43 kB
  3. nodejs-10.23.1-1.module+el8+1186+790d17e4.x86_64.rpm
    MD5: 59494772f5b07251aabcf259d598f331
    SHA-256: 24d5381a39ee6de2ddf7fdac0eb2198ad2463453762c0121fcae1c435c5e3241
    Size: 8.85 MB
  4. nodejs-debugsource-10.23.1-1.module+el8+1186+790d17e4.x86_64.rpm
    MD5: 6d834b3cfee54de1483d128337a278af
    SHA-256: fe71d76cbaecbd833abab8f8de30723016e6e3c27f2b59a16f143a92a079d1a4
    Size: 9.70 MB
  5. nodejs-devel-10.23.1-1.module+el8+1186+790d17e4.x86_64.rpm
    MD5: 5f58887a8f3d8c9b4c5bfaeda07592ec
    SHA-256: 15f3b5af4cb7e978774898b2a1a4b33ad2f08daf5681ccbab1cd0146fd3a20b2
    Size: 162.62 kB
  6. nodejs-docs-10.23.1-1.module+el8+1186+790d17e4.noarch.rpm
    MD5: fb3b9b272b6e762997902595c486fd34
    SHA-256: 59ca06759f196a2fed64103b3fce0ccd90a6914edcae88f89915cda5efb1b59b
    Size: 3.35 MB
  7. nodejs-full-i18n-10.23.1-1.module+el8+1186+790d17e4.x86_64.rpm
    MD5: 4f85603ec3d4955f4b4c13cd5151418e
    SHA-256: 06f3a24bc667eb20bd9191155b7e44da116f7b29280755543dec3dcdf62de195
    Size: 7.29 MB
  8. npm-6.14.10-1.10.23.1.1.module+el8+1186+790d17e4.x86_64.rpm
    MD5: 36f6cab104e3b0b946081543527d5b0c
    SHA-256: dbdb7c5937bbec4ba70f56cae08c7f66c3cb2de684121ddf78744393b8e56e24
    Size: 3.67 MB