nodejs:14 security, bug fix, and enhancement update

エラータID: AXSA:2021-2343:01

Release date: 
Thursday, August 12, 2021 - 03:10
Subject: 
nodejs:14 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (14.17.3).

Security Fix(es):

* nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362)
* nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290)
* libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Modularity name: nodejs
Stream name: 14

Solution: 

Update packages.

CVEs: 
CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.3-1.module+el8+1286+5afcba67.src.rpm
    MD5: 2bf6b3ab4397f92b328bdea7465f7181
    SHA-256: 9fbf8ff0f63cb79917612acd942e979e3aa9f2589bc603e512477881aa5e7e8f
    Size: 1.15 MB
  2. nodejs-packaging-23-3.module+el8+1286+5afcba67.src.rpm
    MD5: 08208c7394a30fe85e05044aed068db4
    SHA-256: 440e866bb1df4c8470249922a66307b0d8d358ce3bd034d6fbd5304fe3341164
    Size: 26.56 kB
  3. nodejs-14.17.3-2.module+el8+1286+5afcba67.src.rpm
    MD5: 3d36d8c7f66fd79f8709343645cc41a2
    SHA-256: f8940ae0a0a079f2165061d5eb7f9d5c75daeb445ff3dab58671e93b6d081f76
    Size: 66.13 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-2.0.3-1.module+el8+1286+5afcba67.noarch.rpm
    MD5: 8f49a46f73795c3ec7a64668029bd5a4
    SHA-256: f829a9baa8bfc144c236e6fbeabd786c540af85330de0e1039693227615bc6d7
    Size: 807.00 kB
  2. nodejs-packaging-23-3.module+el8+1286+5afcba67.noarch.rpm
    MD5: a91b63fa369a0fc8715342d2a59597c9
    SHA-256: c98c555a46fa9bb814790246292c10fddd68b58fc9d6e0b35e19c880a7aac961
    Size: 23.00 kB
  3. nodejs-14.17.3-2.module+el8+1286+5afcba67.x86_64.rpm
    MD5: 4b4952737d7d59d3a2dcc1455eef4cfa
    SHA-256: 1f510a9377d670bf35a5bd804dd6eaae971c51c60ddb8b302595df95f1abb5cd
    Size: 10.74 MB
  4. nodejs-debugsource-14.17.3-2.module+el8+1286+5afcba67.x86_64.rpm
    MD5: fabb9ff483a2861ede7550c2926587f8
    SHA-256: 97e4c6bd92558b4777a5820b45e967014915caf298319383fc77affbe7ac9e1f
    Size: 10.93 MB
  5. nodejs-devel-14.17.3-2.module+el8+1286+5afcba67.x86_64.rpm
    MD5: 4f07360425c3f38c0cb4b754665cb388
    SHA-256: 4b42a3d4145667777d1e0054f361084f7b66fc9d84f1cda38b00e6fda8ee6151
    Size: 200.93 kB
  6. nodejs-docs-14.17.3-2.module+el8+1286+5afcba67.noarch.rpm
    MD5: 85340be43e38546fb83ab4e0090d7bbb
    SHA-256: 90009ab015789c544cbc2a5abeaae87b69c38be893e276ab54ec831241369228
    Size: 8.14 MB
  7. nodejs-full-i18n-14.17.3-2.module+el8+1286+5afcba67.x86_64.rpm
    MD5: 08d9cbf00168d0200b1bbb1f5e9ee608
    SHA-256: 01a595c02bf15ae7fccf8626e24bebe98d8664298fbfeabbcfe0e67913b20a5b
    Size: 7.61 MB
  8. npm-6.14.13-1.14.17.3.2.module+el8+1286+5afcba67.x86_64.rpm
    MD5: 83888d7a1905d154e77d2855291806aa
    SHA-256: 667d058d711cfade71809a7cdc02e5d341976e9de367293802ff97f0190fcddf
    Size: 3.67 MB