nodejs:10 security update

エラータID: AXSA:2021-1558:01

Release date: 
Sunday, March 7, 2021 - 00:45
Subject: 
nodejs:10 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs
(10.24.0).

Security Fix(es):

* nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion
(CVE-2021-22883)
* nodejs: DNS rebinding in --inspect (CVE-2021-22884)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2021-22883
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial
of service attack when too many connection attempts with an 'unknownProtocol'
are established. This leads to a leak of file descriptors. If a file descriptor
limit is configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g. a file. If no file
descriptor limit is configured, then this lead to an excessive memory usage and
cause the system to run out of memory.
CVE-2021-22884
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS
rebinding attacks as the whitelist includes “localhost6”. When
“localhost6” is not present in /etc/hosts, it is just an ordinary
domain that is resolved via DNS, i.e., over network. If the attacker controls
the victim's DNS server or can spoof its responses, the DNS rebinding protection
can be bypassed by using the “localhost6” domain. As long as the
attacker uses the “localhost6” domain, they can still apply the
attack described in CVE-2018-7160.

Modularity name: nodejs
Stream name: 10

Solution: 

Update packages.

CVEs: 
CVE-2021-22883
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-1.18.3-1.module+el8+1212+8a4373da.src.rpm
    MD5: 4d70849b45c9c41bbcb96cbffc4d5ac4
    SHA-256: 391cb10666cd38e4a66fba3c6d792218f506268e517b0c0b9e26f87a62402d31
    Size: 1.35 MB
  2. nodejs-packaging-17-3.module+el8+1212+8a4373da.src.rpm
    MD5: 0aef6098a56e26d4e054b394455ae9a8
    SHA-256: 7781f703482072db1ca35c7f11d8fdf35253ce8cec9e93b1e0cab9436fa50685
    Size: 20.66 kB
  3. nodejs-10.24.0-1.module+el8+1212+8a4373da.src.rpm
    MD5: 866776fe9d51cd8b4e11f14c83e2d832
    SHA-256: 76dfd18a1d36620a55a8e891afee8372245a67bbbd1489a116a29350a0204106
    Size: 50.13 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-1.18.3-1.module+el8+1212+8a4373da.noarch.rpm
    MD5: 7fd3e1182440efcdaa4a06f20e290113
    SHA-256: 632d7bcb431317a51012f777097cfcbdfa1c9c132152babd1fec64756147a511
    Size: 963.33 kB
  2. nodejs-packaging-17-3.module+el8+1212+8a4373da.noarch.rpm
    MD5: 0f338e33048520f2f6eaf7a74d1dd8b6
    SHA-256: 944e3e31e0fc3e5ae7a70ee2d7bb30fd43e3da535fa51af500f43cf352133ae9
    Size: 18.43 kB
  3. nodejs-10.24.0-1.module+el8+1212+8a4373da.x86_64.rpm
    MD5: df730047b53a5130f79a99e896863e49
    SHA-256: 67d1514d2c2b5dcec6066797164298989f4f6c712099a574f28343e0ee6d3f04
    Size: 8.85 MB
  4. nodejs-debugsource-10.24.0-1.module+el8+1212+8a4373da.x86_64.rpm
    MD5: 69b5ef23f458c02762e52ef62f9d5179
    SHA-256: a9bc439c4f6876be7700228a636641fc002155d4d5aaebe804c16dcb393d76d8
    Size: 9.70 MB
  5. nodejs-devel-10.24.0-1.module+el8+1212+8a4373da.x86_64.rpm
    MD5: e52733c8efeebcf9e3e8b75c6b9874b2
    SHA-256: 2e0fe5a7393aae25d19c552cdd64a36c03e6335ccf3f4692180a43e62e8dc0ed
    Size: 162.83 kB
  6. nodejs-docs-10.24.0-1.module+el8+1212+8a4373da.noarch.rpm
    MD5: 1687b740de98f857c6b71fcf23206d68
    SHA-256: c5714916c0582d32a7c8296240a72d709e5190a508227c89f2992b4ad2282f95
    Size: 3.36 MB
  7. nodejs-full-i18n-10.24.0-1.module+el8+1212+8a4373da.x86_64.rpm
    MD5: dec6b9f215568f105656476c525d04ee
    SHA-256: a686fbf757a2ee449ed460b4acf779d6d97440180071cd1dde20d15fefb4f76b
    Size: 7.29 MB
  8. npm-6.14.11-1.10.24.0.1.module+el8+1212+8a4373da.x86_64.rpm
    MD5: b13153f8ac89e2268b1cd5d78b9e329b
    SHA-256: f5e1394f1a0575d2df8288495722d1fc413f22e144e554434e197d5a737a296e
    Size: 3.67 MB