nodejs:12 security update

エラータID: AXSA:2021-1559:01

Release date: 
Sunday, March 7, 2021 - 01:40
Subject: 
nodejs:12 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs
(12.21.0).

Security Fix(es):

* nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion
(CVE-2021-22883)
* nodejs: DNS rebinding in --inspect (CVE-2021-22884)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2021-22883
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial
of service attack when too many connection attempts with an 'unknownProtocol'
are established. This leads to a leak of file descriptors. If a file descriptor
limit is configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g. a file. If no file
descriptor limit is configured, then this lead to an excessive memory usage and
cause the system to run out of memory.
CVE-2021-22884
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS
rebinding attacks as the whitelist includes “localhost6”. When
“localhost6” is not present in /etc/hosts, it is just an ordinary
domain that is resolved via DNS, i.e., over network. If the attacker controls
the victim's DNS server or can spoof its responses, the DNS rebinding protection
can be bypassed by using the “localhost6” domain. As long as the
attacker uses the “localhost6” domain, they can still apply the
attack described in CVE-2018-7160.

Modularity name: nodejs
Stream name: 12

Solution: 

Update packages.

CVEs: 
CVE-2021-22883
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.3-1.module+el8+1213+b734b9a5.src.rpm
    MD5: 4e793363adaa436703ce265a02870b0f
    SHA-256: f7ee6bb8ae8d28e0c666e64b224f56d8c7d5efaa8ac65336167dcb39986d0eb0
    Size: 1.15 MB
  2. nodejs-packaging-17-3.module+el8+1213+b734b9a5.src.rpm
    MD5: f2774425ac464957e3156930320bbaa3
    SHA-256: a91fae7435fe59173c530cd0dd15d2c944bc4066cf7b11002ac72fdb85659fb0
    Size: 20.66 kB
  3. nodejs-12.21.0-1.module+el8+1213+b734b9a5.src.rpm
    MD5: b40e09191cdd0eb1831b07de60c87b24
    SHA-256: c6fc5958d08248c3e434d52e0770896420636a3be238dc84c08e723d206bd5ee
    Size: 55.77 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-2.0.3-1.module+el8+1213+b734b9a5.noarch.rpm
    MD5: fd61f448a8588bac79ae59a87926a5c4
    SHA-256: 1359d851a49cdbae2015913f55f6f69019474d159537e83f757c4558f4e21d4c
    Size: 806.99 kB
  2. nodejs-packaging-17-3.module+el8+1213+b734b9a5.noarch.rpm
    MD5: 5187738f532e0698fb719e891c02c4a3
    SHA-256: 441309f0f68494107c70290e139947f2f7ab49694729a687f8672ea7ec788e72
    Size: 18.43 kB
  3. nodejs-12.21.0-1.module+el8+1213+b734b9a5.x86_64.rpm
    MD5: dbe333130cf0d3289e2bca88127cd2d9
    SHA-256: ffdd4f3259f0900de4b632d664ef555adc5899a2f59f619f9b5375afd4250fa1
    Size: 10.12 MB
  4. nodejs-debugsource-12.21.0-1.module+el8+1213+b734b9a5.x86_64.rpm
    MD5: dea623f23868283b2ab82d05f76189c9
    SHA-256: 63c01c76023c8c606c532189a7f5e7a147337ec042c2f3295983c7ec33d08a3c
    Size: 10.34 MB
  5. nodejs-devel-12.21.0-1.module+el8+1213+b734b9a5.x86_64.rpm
    MD5: 085fdd61503f88a3729cba31c876276e
    SHA-256: 808bc9b7cb3fb20bf08b82f9ade6d47d1e016a0625f885d861e742bf82264da8
    Size: 174.93 kB
  6. nodejs-docs-12.21.0-1.module+el8+1213+b734b9a5.noarch.rpm
    MD5: e88d48838b4fb7f028dec216b44409c9
    SHA-256: 8f41d368fadeb21cdaf07cc5b88277548449a5015d4bcaffc61654dffa98b649
    Size: 4.09 MB
  7. nodejs-full-i18n-12.21.0-1.module+el8+1213+b734b9a5.x86_64.rpm
    MD5: 956595b236ce8ddc8801e5b015ec7e8f
    SHA-256: 32fc51c0bed75b80042b7c1882ee2f9e550ebd37ba0b9e4397cb0edb4e7a53b2
    Size: 7.49 MB
  8. npm-6.14.11-1.12.21.0.1.module+el8+1213+b734b9a5.x86_64.rpm
    MD5: b3f0334ffa3c4d8c7f6ac613620d0a56
    SHA-256: e38ed5c55cbeebee39f0575cb9188cf06f245a5110dae2c2697494de0a9b2c3b
    Size: 3.67 MB