nodejs:16 security update

エラータID: AXSA:2022-3781:01

Release date: 
Thursday, September 1, 2022 - 06:39
Subject: 
nodejs:16 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* npm: npm ci succeeds when package-lock.json doesn't match package.json (CVE-2021-43616)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-43616
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.

Modularity name: nodejs
Stream name: 16

Solution: 

Update packages.

CVEs: 
CVE-2021-43616
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.15-1.module+el8+1508+b857f742.src.rpm
    MD5: d8e7f02d933d8db9704f811ab9634c05
    SHA-256: f41465bd11ac9b42b68fd8083b628fb1bd63d5d62ce57cac14d1da6deb99af12
    Size: 730.27 kB
  2. nodejs-packaging-25-1.module+el8+1508+b857f742.src.rpm
    MD5: ecd63a5285a36f854717d8e47f5bdddb
    SHA-256: 833acdb5c830645c300c64f1b3054f87caccd1ef21b0f936ebeea9e7b39a67a5
    Size: 26.81 kB
  3. nodejs-16.14.0-4.module+el8+1508+b857f742.src.rpm
    MD5: 34c19dde6982fda409562f1c601b488c
    SHA-256: 3f23584ff3cc98aa499eea20f2cbb4820a6bd3d67e2614d99e1ebd25601a2191
    Size: 67.88 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-2.0.15-1.module+el8+1508+b857f742.noarch.rpm
    MD5: f2629a8bf75ea8da512fbb36f220208f
    SHA-256: ded8db4432b184e484ef9a1a4cbbb11b564c69a0e728ea7274fff1c100687a43
    Size: 578.85 kB
  2. nodejs-packaging-25-1.module+el8+1508+b857f742.noarch.rpm
    MD5: 78d682978b1ad7a9f091526703009b6c
    SHA-256: 86faf6d81fac24cbcd1d5b9bcd6ca33f6ea6cc2889661ffe85103500d9060989
    Size: 23.19 kB
  3. nodejs-16.14.0-4.module+el8+1508+b857f742.x86_64.rpm
    MD5: 832c223f97f814080420432d80aa740f
    SHA-256: 50bd3674bebf2f39c3cf1ef0216abbac8704004f2ae1fc5b2170b995b4f2c396
    Size: 12.15 MB
  4. nodejs-debugsource-16.14.0-4.module+el8+1508+b857f742.x86_64.rpm
    MD5: 9d24f6638219f4c75cf4cca0115b062e
    SHA-256: 216a8fb4cacfcad781e45005a0a1efb5a7feb55555e3b56a89639547e667df79
    Size: 12.61 MB
  5. nodejs-devel-16.14.0-4.module+el8+1508+b857f742.x86_64.rpm
    MD5: 8b46381f957ad06f46f6bec0b71e533e
    SHA-256: 5e3a95fd1deaf3575ea26fa8ce690b4a0c301f5576f081cae1d3723b297fe8d0
    Size: 189.68 kB
  6. nodejs-docs-16.14.0-4.module+el8+1508+b857f742.noarch.rpm
    MD5: c78b4d6f48d9c1a053237eee5187e086
    SHA-256: 73a78a24372d56750a4aecf85e47075e16ad518760a2fa95420896946d9e74b6
    Size: 8.91 MB
  7. nodejs-full-i18n-16.14.0-4.module+el8+1508+b857f742.x86_64.rpm
    MD5: dd271a00ae6e70e15e0b89052b52da25
    SHA-256: 70e4beeb72f2c0655700873df95fc4b221a718b6d17b77c97a739e00810bb113
    Size: 7.85 MB
  8. npm-8.3.1-1.16.14.0.4.module+el8+1508+b857f742.x86_64.rpm
    MD5: c154e491ab63d2c2f35b95f362412ba9
    SHA-256: 873715842fd452105a7572c9e6e4fedf41d16e1e251f0508aeb16715414a666c
    Size: 1.86 MB