nodejs:18 security, bug fix, and enhancement update

エラータID: AXSA:2022-4553:01

Release date: 
Tuesday, December 27, 2022 - 07:43
Subject: 
nodejs:18 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs
(18.12.1), nodejs-nodemon (2.0.20).

Security Fix(es):

* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
* nodejs: DNS rebinding in inspect via invalid octal IP address
(CVE-2022-43548)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2022-3517
A vulnerability was found in the minimatch package. This flaw allows a Regular
Expression Denial of Service (ReDoS) when calling the braceExpand function with
specific arguments, resulting in a Denial of Service.
CVE-2022-43548
A OS Command Injection vulnerability exists in Node.js versions <14.21.1,
<16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can
easily be bypassed because IsIPAddress does not properly check if an IP address
is invalid before making DBS requests allowing rebinding attacks.The fix for
this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was
incomplete and this new CVE is to complete the fix.

Modularity name: nodejs
Stream name: 18

Solution: 

Update packages.

CVEs: 
CVE-2022-3517
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
CVE-2022-43548
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.20-1.module+el8+1577+08b931c3.src.rpm
    MD5: 8fddb6a3356918b719ada77826a61156
    SHA-256: ecea17ec6bbbf332c5c93c643a55c8c131b5c8bb7ad4ff0cb5bac5c423411b96
    Size: 340.88 kB
  2. nodejs-packaging-2021.06-4.module+el8+1577+08b931c3.src.rpm
    MD5: e28129e6871b74169dcacb4b61cdf8b8
    SHA-256: ff65850d63ea73e132ba77d1e59dca3972fa9bc5f6b6ae6cba7987283a2e543b
    Size: 30.29 kB
  3. nodejs-18.12.1-2.module+el8+1577+08b931c3.src.rpm
    MD5: 71974cbb535c82bdbc28a15f78be7645
    SHA-256: c62fa08d43754cc98c3b6014e6e8ca1ecbd123a5c1220cac5d114b9fb531836d
    Size: 74.32 MB

Asianux Server 8 for x86_64
  1. nodejs-nodemon-2.0.20-1.module+el8+1577+08b931c3.noarch.rpm
    MD5: 0e68183f3eff157fc9231163d27e3a44
    SHA-256: bb25896384ef0641371d2785bea9a8d17dca5f7e03371911d6b7fd856a9ba728
    Size: 274.05 kB
  2. nodejs-packaging-2021.06-4.module+el8+1577+08b931c3.noarch.rpm
    MD5: 711bb4df7305d04d213fc69fd818a2c7
    SHA-256: e6f394fcbac4a1b34a57722ea32589b067eaa8b50f71a52e63a0d1508eae7904
    Size: 24.14 kB
  3. nodejs-packaging-bundler-2021.06-4.module+el8+1577+08b931c3.noarch.rpm
    MD5: 7ad616723b0ee6213e84d0468db71a7b
    SHA-256: 6b70e959d9c7bb7b51c6d8de5dcb731413bf024d73da1b6cd47917635f9a86f7
    Size: 13.76 kB
  4. nodejs-18.12.1-2.module+el8+1577+08b931c3.x86_64.rpm
    MD5: 743b4389a86268ac20549ad62537e05c
    SHA-256: f4e650e7e36ff9ce13b4e1914935cb7cb509dd0a0e3683ebf81143406cd5aa53
    Size: 13.39 MB
  5. nodejs-debugsource-18.12.1-2.module+el8+1577+08b931c3.x86_64.rpm
    MD5: 1e272c6f407c1aeb29c92d1843480466
    SHA-256: ef34e35ba25b38302591eb1253870655d317f021c532aa6f51ebc28657cbe030
    Size: 13.75 MB
  6. nodejs-devel-18.12.1-2.module+el8+1577+08b931c3.x86_64.rpm
    MD5: 243ca18efb9912bc3515b8c34080d333
    SHA-256: d220e7e11993538ac85dd8d600e56b21d7c278511b55d7552fbaf2208f6527b4
    Size: 205.72 kB
  7. nodejs-docs-18.12.1-2.module+el8+1577+08b931c3.noarch.rpm
    MD5: 021e947de7f51e952d56188c5f22f18e
    SHA-256: f55bbb61b6b5e631b4851f6533c460c2abbb8d3e66ffeb5493817b65eb435772
    Size: 9.48 MB
  8. nodejs-full-i18n-18.12.1-2.module+el8+1577+08b931c3.x86_64.rpm
    MD5: 3967cbfff40f8e180d0703947afbf871
    SHA-256: 0bf332d4e0805d3bfdb38a0d208d27112180e8104651436bc44048c043ad25e6
    Size: 8.01 MB
  9. npm-8.19.2-1.18.12.1.2.module+el8+1577+08b931c3.x86_64.rpm
    MD5: b382524480d872cf884ea1c4004430da
    SHA-256: 51387e549676e7967067694657491ce6bf9edd3daee4d757586f9ddc8bc89f37
    Size: 1.96 MB