nodejs:18 security update
エラータID: AXSA:2022-4480:01
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs
(18.9.1).
Security Fix(es):
* nodejs: weak randomness in WebCrypto keygen (CVE-2022-35255)
* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
(CVE-2022-35256)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
CVE-2022-35255
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
CVE-2022-35256
** RESERVED ** This candidate has been reserved by an organization or individual
that will use it when announcing a new security problem. When the candidate has
been publicized, the details for this candidate will be provided.
Modularity name: nodejs
Stream name: 18
Update packages.
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
N/A
SRPMS
- nodejs-nodemon-2.0.19-1.module+el8+1565+afd7ff6f.src.rpm
MD5: 0db6de0d11b62455115e5794ac23cf09
SHA-256: 4d336a4af8c69ccd9dede5f47f67b3586b14e16284c4bbd0817070283582656b
Size: 391.92 kB - nodejs-packaging-2021.06-4.module+el8+1565+afd7ff6f.src.rpm
MD5: 111e5638623f7c05041fda5215b5a39f
SHA-256: eef57a4df199afdc0f515ee5b9c021ce335ccfcf335f1ab710f1986e55f55b51
Size: 30.29 kB - nodejs-18.9.1-1.module+el8+1565+afd7ff6f.src.rpm
MD5: 22a8a5128d009a2ffc9417b97ebc86be
SHA-256: b51e5f8edd405fc909a6322d6708d6520eee58327868339d2e73f909e7c08b9c
Size: 74.05 MB
Asianux Server 8 for x86_64
- nodejs-nodemon-2.0.19-1.module+el8+1565+afd7ff6f.noarch.rpm
MD5: f80549a3e849da3cd74420e92878ab0a
SHA-256: ec56437752309a63c071c0e34cf38e83c1f32a70ba24543ca10c8ca7a24327d2
Size: 271.18 kB - nodejs-packaging-2021.06-4.module+el8+1565+afd7ff6f.noarch.rpm
MD5: ba50aec059d217be214130b619ba04de
SHA-256: cb50fb9c504c728211bc56d97e0319e267ff7dc6daf5cc86d16ea0549356a1f3
Size: 24.14 kB - nodejs-packaging-bundler-2021.06-4.module+el8+1565+afd7ff6f.noarch.rpm
MD5: fcde026a5ca68375b6b590a7b1a3c005
SHA-256: 7f8c3bb127c2c1ea994f0b3bba5c34ef28f9e1a4f531c225b388f175ed4dc16f
Size: 13.76 kB - nodejs-18.9.1-1.module+el8+1565+afd7ff6f.x86_64.rpm
MD5: be6dfd9f8b79d2cfe27cd0373e67e893
SHA-256: acd596c5467486d8da83e73774e6a16f37202d8e03583765ded3dcfe6be03e08
Size: 13.35 MB - nodejs-debugsource-18.9.1-1.module+el8+1565+afd7ff6f.x86_64.rpm
MD5: b6c8ebf927990a0034dfb1d6b64db9d0
SHA-256: 4609c914241db321309fa030bd570d688c6e02ab08409c6dd8645cdbe98d3ffe
Size: 13.68 MB - nodejs-devel-18.9.1-1.module+el8+1565+afd7ff6f.x86_64.rpm
MD5: f0d75b49a32f609009505f5ea18d9d03
SHA-256: 27b91707f843bdfe6d52e93707154bfd4cc44bd338e24d469e103541f0494d29
Size: 204.64 kB - nodejs-docs-18.9.1-1.module+el8+1565+afd7ff6f.noarch.rpm
MD5: 37b0dd40d81b944f46a43320e4a7e026
SHA-256: a8111960bdba99383a5010c7c0ea7b5ce509ef567e051e054bd4eaaa3dcc6113
Size: 9.42 MB - nodejs-full-i18n-18.9.1-1.module+el8+1565+afd7ff6f.x86_64.rpm
MD5: 836b22ec111389b53510e8ba8f66bf5d
SHA-256: 973dcace82460e6ecc185a1c8bf0c6e7a261ff049ff7f3a6bb0264bad6b43a45
Size: 8.01 MB - npm-8.19.1-1.18.9.1.1.module+el8+1565+afd7ff6f.x86_64.rpm
MD5: be42d991cc54b66544107533baa0d0d6
SHA-256: ad0723cbb32cd67fce5c562fd918cbf6f03f9469481165043c46727dcc4b93da
Size: 1.96 MB
日本語