nodejs:16 security and bug fix update

エラータID: AXSA:2022-3844:01

Release date: 
Thursday, September 15, 2022 - 00:56
Subject: 
nodejs:16 security and bug fix update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
* nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)
* nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213)
* nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214)
* nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215)
* got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* nodejs:16/nodejs: rebase to latest upstream release
* nodejs:16/nodejs: Specify --with-default-icu-data-dir when using bootstrap build

CVE-2021-3807
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
CVE-2022-32212
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
CVE-2022-32213
The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
CVE-2022-32214
The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
CVE-2022-32215
The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
CVE-2022-33987
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Modularity name: nodejs
Stream name: 16

Solution: 

Update packages.

CVEs: 
CVE-2021-3807
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
CVE-2022-32212
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
CVE-2022-32213
The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
CVE-2022-32214
The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
CVE-2022-32215
The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
CVE-2022-33987
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.19-2.module+el8+1522+3bc04569.src.rpm
    MD5: a066901a1e68f00536b396359ee75986
    SHA-256: 545267651525ed250964effe02f94ba3cb67d10dc0df3faeba5c19ac1a789a31
    Size: 394.46 kB
  2. nodejs-packaging-25-1.module+el8+1522+3bc04569.src.rpm
    MD5: 1e6568e0e7a8d535d1b87eba73af4acb
    SHA-256: a0688ddd4b4b6db9b910ccc335f09c58bb92bc49eb58030062aacb92f393e05f
    Size: 26.81 kB
  3. nodejs-16.16.0-3.module+el8+1522+3bc04569.src.rpm
    MD5: 33b9edba1712275d323a08475d39d95b
    SHA-256: 4189b92b803c50d98672ddf75e389168f22184af653dffe111ea51ea0fd37931
    Size: 68.43 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-2.0.19-2.module+el8+1522+3bc04569.noarch.rpm
    MD5: 721a0ff0a75c1ebae7bae444d41fe89f
    SHA-256: d63988781009e39e6e7d2f8d93f0ca6e693b4b4d1c71467817f82fbfd533961c
    Size: 271.45 kB
  2. nodejs-packaging-25-1.module+el8+1522+3bc04569.noarch.rpm
    MD5: a9328a90bed4f0fafd4f2e60cd8fbc57
    SHA-256: cf834ac2c6914494cf866b7056f471c258734f959209f01b7a13e1f6ab2b497e
    Size: 23.19 kB
  3. nodejs-16.16.0-3.module+el8+1522+3bc04569.x86_64.rpm
    MD5: 9bcc1105c0c1a1f0774c07403eb7543e
    SHA-256: eea8288089c993b5b686879a58c16a5be43f2e5735a253e62edb633444675c24
    Size: 12.15 MB
  4. nodejs-debugsource-16.16.0-3.module+el8+1522+3bc04569.x86_64.rpm
    MD5: 2436a25f70c139c5511199abde5d074e
    SHA-256: 14e3eb9e61cdf18bfbf8872b1fd7ee4173dd8ce051de816ea4206d867434e947
    Size: 12.80 MB
  5. nodejs-devel-16.16.0-3.module+el8+1522+3bc04569.x86_64.rpm
    MD5: 0412559af0ddb7bfe08aa93316e644ac
    SHA-256: a2eef7caa6018fabe55632eceefecdbeeebaa69d688145f8f6c1d70dee9905ab
    Size: 190.24 kB
  6. nodejs-docs-16.16.0-3.module+el8+1522+3bc04569.noarch.rpm
    MD5: 95c70fd3bf740aaf59e97eaa89179e01
    SHA-256: a9a76d6b2de94a6599c22d9607a38af911a7ff3c1b17875a876d5f92a6b08a6b
    Size: 9.04 MB
  7. nodejs-full-i18n-16.16.0-3.module+el8+1522+3bc04569.x86_64.rpm
    MD5: ea5a9c27c91ae59c90fb6274d03ccf12
    SHA-256: dc9d24432cbf948a166a469e7bee01d6d57804063d0d00a284f3a084834f12ce
    Size: 7.85 MB
  8. npm-8.11.0-1.16.16.0.3.module+el8+1522+3bc04569.x86_64.rpm
    MD5: 477b00513e293d490ff22806486a95be
    SHA-256: 6b3a6c2ce3d05921d6c83bf09d9419a6c50e455632161eb2ae0e91aadfe27d7b
    Size: 1.88 MB