nodejs:14 security and bug fix update

エラータID: AXSA:2022-3839:01

Release date: 
Wednesday, September 14, 2022 - 08:58
Subject: 
nodejs:14 security and bug fix update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)
* nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213)
* nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214)
* nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215)
* got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* nodejs:14/nodejs: rebase to latest upstream release
* nodejs:14/nodejs: Specify --with-default-icu-data-dir when using bootstrap build

CVE-2022-32212
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
CVE-2022-32213
The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
CVE-2022-32214
The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
CVE-2022-32215
The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
CVE-2022-33987
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Modularity name: nodejs
Stream name: 14

Solution: 

Update packages.

CVEs: 
CVE-2022-32212
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
CVE-2022-32213
The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
CVE-2022-32214
The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
CVE-2022-32215
The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
CVE-2022-33987
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.19-2.module+el8+1521+b678da86.src.rpm
    MD5: 2a8b9f4f49aca27c3c68fd80aab18502
    SHA-256: 1b9f259f36cfdd98d49bb7b0eea7c284da5c752b9614e0a5146a6ce90792a267
    Size: 394.65 kB
  2. nodejs-packaging-23-3.module+el8+1521+b678da86.src.rpm
    MD5: 8c32d7cf0aa88c7ae2285a8177b1e80b
    SHA-256: 56e477d92f022695f47ba8d3febce7dbb51748188c519f7bd786de991c85b453
    Size: 26.54 kB
  3. nodejs-14.20.0-2.module+el8+1521+b678da86.src.rpm
    MD5: 6b10a6c51a9d04af6d284115aab18341
    SHA-256: da52fefd11fe27d85b8477251bac50d02979be788ded86db2e7aec6345bd7f69
    Size: 67.96 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-2.0.19-2.module+el8+1521+b678da86.noarch.rpm
    MD5: e7a9e3083b51948579391eaaebd4eb6a
    SHA-256: 829aaa43b79ef6ac0bbde6680dab39c1a822026e6a6ff4197cca4b39f681567f
    Size: 271.46 kB
  2. nodejs-packaging-23-3.module+el8+1521+b678da86.noarch.rpm
    MD5: 9ecb43fc62443220196a5136c703db7a
    SHA-256: cda568bb621c8e9c6701037b41959dec97425f54ad6dbf51a5cbaab451c960e6
    Size: 22.98 kB
  3. nodejs-14.20.0-2.module+el8+1521+b678da86.x86_64.rpm
    MD5: e878b9e33ff50c14ed6179f9a88ebcc6
    SHA-256: 1d40aed8087045407ab3044fe571f4bb8a0cc74f68d8db32dd5633a656597477
    Size: 10.85 MB
  4. nodejs-debugsource-14.20.0-2.module+el8+1521+b678da86.x86_64.rpm
    MD5: 29b6e12c5388ccdac86ad019a75d6932
    SHA-256: d5c794f472b8eef8c0fc582add3d61dad7b59f6e5bc567cd82c9d8cb05f6f358
    Size: 11.06 MB
  5. nodejs-devel-14.20.0-2.module+el8+1521+b678da86.x86_64.rpm
    MD5: ab136e7cd4b3c6cfda6c5a3f4eaeb1a9
    SHA-256: 291385880212b4d3e318cdc1dc47aefbb202ee6f9cc5838f012080d44a451bc0
    Size: 204.75 kB
  6. nodejs-docs-14.20.0-2.module+el8+1521+b678da86.noarch.rpm
    MD5: a6028c8821e4016cf33eb98f9294af67
    SHA-256: dee6e73a385715375c4c20093f8ade95ad24467d47d2f0114a12e2f53b4f3e68
    Size: 8.37 MB
  7. nodejs-full-i18n-14.20.0-2.module+el8+1521+b678da86.x86_64.rpm
    MD5: b8c9bac50f8c6b954446befd429f625b
    SHA-256: 83ea3acc8c5996bbd848e696dffe477b06b317fe20426dbe1cb5402b978fc47c
    Size: 7.85 MB
  8. npm-6.14.17-1.14.20.0.2.module+el8+1521+b678da86.x86_64.rpm
    MD5: 558ed0e98f82dab74fdc61631f97adcf
    SHA-256: b5075870e80e64a787b0cb9ca2405e29eb2aa3e0a216a3498f5773c4c9a47f17
    Size: 3.66 MB