nodejs:14 security and bug fix update

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs
(14.16.0).

Security Fix(es):

* nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion
(CVE-2021-22883)
* nodejs: DNS rebinding in --inspect (CVE-2021-22884)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Bug Fix(es):

* Node.js should not be built with "--debug-nghttp2"

CVE(s):
CVE-2021-22883
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial
of service attack when too many connection attempts with an 'unknownProtocol'
are established. This leads to a leak of file descriptors. If a file descriptor
limit is configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g. a file. If no file
descriptor limit is configured, then this lead to an excessive memory usage and
cause the system to run out of memory.
CVE-2021-22884
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS
rebinding attacks as the whitelist includes “localhost6”. When
“localhost6” is not present in /etc/hosts, it is just an ordinary
domain that is resolved via DNS, i.e., over network. If the attacker controls
the victim's DNS server or can spoof its responses, the DNS rebinding protection
can be bypassed by using the “localhost6” domain. As long as the
attacker uses the “localhost6” domain, they can still apply the
attack described in CVE-2018-7160.

Modularity name: nodejs
Stream name: 14