AXSA:2021-2440:01

Release date: 
Wednesday, September 22, 2021 - 11:35
Subject: 
nodejs:12 security and bug fix update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930)
* nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940)
* c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672)
* nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931)
* nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803)
* nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804)
* nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939)
* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* nodejs:12/nodejs: Make FIPS options always available

CVE-2021-22930
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-22931
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
CVE-2021-22939
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22940
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-23343
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVE-2021-32803
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
CVE-2021-32804
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
CVE-2021-3672
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Modularity name: nodejs
Stream name: 12

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.3-1.module+el8+1305+de9ef142.src.rpm
    MD5: 2f1c96757530b8d098fbb10d945628ce
    SHA-256: c06db464eb4ac7f79caa2e2c65c2857a79396e44de3c1d2341eeaa26969d5322
    Size: 1.15 MB
  2. nodejs-packaging-17-3.module+el8+1305+de9ef142.src.rpm
    MD5: 31a22f36fcb2ac58fa06fe46d45d2886
    SHA-256: 8ccc07f914c3c6c8261a412127a68ad8b31dea732b11bf5d43c976b67cb2ede1
    Size: 20.66 kB
  3. nodejs-12.22.5-1.module+el8+1305+de9ef142.src.rpm
    MD5: ffaf8c90a6d4030fc72359bd4f9006fb
    SHA-256: 118e1f05983fffe148ae24917e209ea77ba6a45ce3913075281446d2b45761b3
    Size: 55.81 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-2.0.3-1.module+el8+1305+de9ef142.noarch.rpm
    MD5: f78cd08952a9b98484d8a6f4d2e0ac19
    SHA-256: 9d3f0a7ac335735b69b4266a750001777f28292d3b117452009e69a2b79d4f17
    Size: 806.99 kB
  2. nodejs-packaging-17-3.module+el8+1305+de9ef142.noarch.rpm
    MD5: 41822336d781e1091b63bc7fbad73ba0
    SHA-256: 082968ecaa1d8438c03219d6c659e75039b047655a6bfd97721ec126aee5f7ae
    Size: 18.41 kB
  3. nodejs-12.22.5-1.module+el8+1305+de9ef142.x86_64.rpm
    MD5: cd56aa632f8d1fade2470dab65338bc6
    SHA-256: c5be7a2394292ea60301d3e467ca3550a27eacf1907045dab96e15bcf356d6f9
    Size: 10.13 MB
  4. nodejs-debugsource-12.22.5-1.module+el8+1305+de9ef142.x86_64.rpm
    MD5: d7b01dae58b445984bbe60ffd6152b00
    SHA-256: be7aac8cd0fe76faf619ed4c61352fbf714703d9f29254b69e3fce34c44c1822
    Size: 10.36 MB
  5. nodejs-devel-12.22.5-1.module+el8+1305+de9ef142.x86_64.rpm
    MD5: e19cf0d53345406e47b86ffd90552e98
    SHA-256: 37dcdad1b330179e05c63378c4409db687ca80901e3f29da145bfcacf4e6dc36
    Size: 175.87 kB
  6. nodejs-docs-12.22.5-1.module+el8+1305+de9ef142.noarch.rpm
    MD5: 4d9292e4e34ccc4d1b4571ee2c97e801
    SHA-256: 510b0710d8e31c61085a21b4a5f616f1bf5eb6240a44892d13977a198ce63db4
    Size: 4.10 MB
  7. nodejs-full-i18n-12.22.5-1.module+el8+1305+de9ef142.x86_64.rpm
    MD5: 7ee3fc47ba79f21d465e7638690e7bc3
    SHA-256: 8e81b97f758ce8d9f322c52e251dc7df92de1d1fbabf0175117881982e8492dd
    Size: 7.49 MB
  8. npm-6.14.14-1.12.22.5.1.module+el8+1305+de9ef142.x86_64.rpm
    MD5: 4996a877669bc6ae41619b82377f9ec6
    SHA-256: 95843799e87cdef9b8e9b9590f163aa951557ccac43703edf5986d8efab8d827
    Size: 3.67 MB
Copyright© 2007-2015 Asianux. All rights reserved.