nodejs:12 security, bug fix, and enhancement update

エラータID: AXSA:2021-2333:01

Release date: 
Wednesday, August 11, 2021 - 10:49
Subject: 
nodejs:12 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (12.22.3). (BZ#1978201)

Security Fix(es):

* nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362)
* nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290)
* libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Modularity name: [security-medium]nodejs
Stream name: 12

Solution: 

Update packages.

CVEs: 
CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.3-1.module+el8+1285+cf272194.src.rpm
    MD5: 25fb2d9b9b338f0353d85f0feaef9dda
    SHA-256: b713fc9d9cea9487a7a4e55fabb1252bd501c4b95df5e888bd7ce694ad470ad9
    Size: 1.15 MB
  2. nodejs-packaging-17-3.module+el8+1285+cf272194.src.rpm
    MD5: be9d46eb502c90583d86dcc78e6acca1
    SHA-256: 179013c4a9cd27ff9394e04ff95dd38946d1e088fff105cf0a185b430fe84ff8
    Size: 20.66 kB
  3. nodejs-12.22.3-2.module+el8+1285+cf272194.src.rpm
    MD5: 13bd3a29331dd0856e8ba1df6c35050b
    SHA-256: 6ab892d49f26845dcd51a120c96dead14f800ef63d4c017711f1de75bc038829
    Size: 55.80 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-2.0.3-1.module+el8+1285+cf272194.noarch.rpm
    MD5: fc79b5592c02af2b08b09f638be199ee
    SHA-256: 09ddc5ffa0b21b5707b3678408f5884e27b03482eab5159a4b898ba4fbced75c
    Size: 806.99 kB
  2. nodejs-packaging-17-3.module+el8+1285+cf272194.noarch.rpm
    MD5: a684335bbe75d393e9a87214f45644af
    SHA-256: 2ddfe229a0bbb27be55929c39e08987b1b2a7655679e35dc9069129e103a3050
    Size: 18.41 kB
  3. nodejs-12.22.3-2.module+el8+1285+cf272194.x86_64.rpm
    MD5: 75de547e86eb16b392d8f025d436af3a
    SHA-256: a399886839d4265e57ff65e297ed6cc431cfc77011de3cc1e49afcb438664e64
    Size: 10.13 MB
  4. nodejs-debugsource-12.22.3-2.module+el8+1285+cf272194.x86_64.rpm
    MD5: f610b40fc447e118cc1b1578c6a8483f
    SHA-256: ac4617deebec51e5541cdd23174f61cd3b1049e1a6d000472fff7f28cac64a08
    Size: 10.35 MB
  5. nodejs-devel-12.22.3-2.module+el8+1285+cf272194.x86_64.rpm
    MD5: 89a69e03cd410ac85dbde18f9648577a
    SHA-256: 03b3626a7383fea63c4735202fe368750c49d8db6bf5b452cb75d7ecc85c812d
    Size: 175.28 kB
  6. nodejs-docs-12.22.3-2.module+el8+1285+cf272194.noarch.rpm
    MD5: 1aadfdd5508c629c5abb023d4446f624
    SHA-256: cdf31e2e26842bbf4f1252974cd3ffb68f4c95b5d2dee3e16cd735260f488e1d
    Size: 4.10 MB
  7. nodejs-full-i18n-12.22.3-2.module+el8+1285+cf272194.x86_64.rpm
    MD5: 51b4a076df6f8d7be9136437a3153521
    SHA-256: 3d80365f25fdf408138e8fdf9d65eb5fbd09f5309cdc69e6a7dba1e242f5cec1
    Size: 7.49 MB
  8. npm-6.14.13-1.12.22.3.2.module+el8+1285+cf272194.x86_64.rpm
    MD5: 85e030ef9e019564efcb42343253008a
    SHA-256: 7cada8ffadf6b98d6dfd893ffbf12533cbbdeee27f4443a9bc51958efbfea65b
    Size: 3.67 MB