nodejs:18 security, bug fix, and enhancement update

エラータID: AXSA:2023-4944:01

Release date: 
Thursday, February 2, 2023 - 00:33
Subject: 
nodejs:18 security, bug fix, and enhancement update
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs
(18.12.1).

Security Fix(es):

* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
* nodejs: DNS rebinding in inspect via invalid octal IP address
(CVE-2022-43548)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2022-3517
A vulnerability was found in the minimatch package. This flaw allows a Regular
Expression Denial of Service (ReDoS) when calling the braceExpand function with
specific arguments, resulting in a Denial of Service.
CVE-2022-43548
A OS Command Injection vulnerability exists in Node.js versions <14.21.1,
<16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can
easily be bypassed because IsIPAddress does not properly check if an IP address
is invalid before making DBS requests allowing rebinding attacks.The fix for
this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was
incomplete and this new CVE is to complete the fix.

Modularity name: nodejs
Stream name: 18

Solution: 

Update packages.

CVEs: 
CVE-2022-3517
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
CVE-2022-43548
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.20-1.module+el9+1005+9fc6de56.src.rpm
    MD5: b69fafaf2150e6345b19e51f339deaed
    SHA-256: 2b94a9367f1cbf37163ebad0d15cf944ba44f65608fea6623b499663fc5556eb
    Size: 340.42 kB
  2. nodejs-packaging-2021.06-4.module+el9+1005+9fc6de56.src.rpm
    MD5: c07594878bdca1c52f3ab87eec2e677a
    SHA-256: 54491a1d52b5e7a681a49d2d98fde483a183c42e169a758f33e8b55361c4b6a0
    Size: 26.54 kB
  3. nodejs-18.12.1-1.module+el9+1005+9fc6de56.src.rpm
    MD5: 08dd5a667ce53fbe367944cf20cfa309
    SHA-256: 7cdd1f745154b4953caadb549c755ed18f5d4c48e6c6917689eb435881d0b9c0
    Size: 171.84 MB

Asianux Server 9 for x86_64
  1. nodejs-nodemon-2.0.20-1.module+el9+1005+9fc6de56.noarch.rpm
    MD5: b2f7ad07aca00d1cc5f621b00aeb146d
    SHA-256: ecdba3c78b6385b9e5d5a011d6cfd208f50d48fec2a02752551a66b6742303ff
    Size: 260.57 kB
  2. nodejs-packaging-2021.06-4.module+el9+1005+9fc6de56.noarch.rpm
    MD5: ea51f05cde694e9f18d2addf177c65e0
    SHA-256: a2df73fec6a6be209ddc8229a3cbca1a2c26b34817af61a5ed6d1927895754eb
    Size: 19.91 kB
  3. nodejs-packaging-bundler-2021.06-4.module+el9+1005+9fc6de56.noarch.rpm
    MD5: c13f0178eacb92b25b4bdf13f3cccfb5
    SHA-256: a07b467828b3e2ee3191df1320bc123e201cb5e93b8c4df95e2655c5f6612b45
    Size: 9.76 kB
  4. nodejs-18.12.1-1.module+el9+1005+9fc6de56.x86_64.rpm
    MD5: db0f5c0d745bcdeb9bf6dde2b16cbc59
    SHA-256: 73638e28339681e27248f3deed6ac675fda828f64ec8fa34e91ec7ebc35ec313
    Size: 12.63 MB
  5. nodejs-debugsource-18.12.1-1.module+el9+1005+9fc6de56.x86_64.rpm
    MD5: 1bfd4faf96fda91ef1fb9e16717f76ec
    SHA-256: 6a69bb07a1589a4666b9f69a488eff8af4c5f48b8b102ff1386b9236bd776148
    Size: 11.29 MB
  6. nodejs-devel-18.12.1-1.module+el9+1005+9fc6de56.x86_64.rpm
    MD5: b3635506cfbd35b426077fd66c6cc364
    SHA-256: cc3518e067718d6047b9e9d89487763d84fa914eeef7ddfda686725aecac0f29
    Size: 183.66 kB
  7. nodejs-docs-18.12.1-1.module+el9+1005+9fc6de56.noarch.rpm
    MD5: 173b242c1cca4a935ffabe598ddda936
    SHA-256: ce5573cfa29e43263bd35fe9cad2a968b877e6ff3f509a7d14fee385d903cd0e
    Size: 7.15 MB
  8. nodejs-full-i18n-18.12.1-1.module+el9+1005+9fc6de56.x86_64.rpm
    MD5: e47e79a892947585bb0685de1a011597
    SHA-256: 08756e6cfaf3e99c321da58421d6da598e8ec8c447476733757d1d90893f022f
    Size: 8.22 MB
  9. npm-8.19.2-1.18.12.1.1.module+el9+1005+9fc6de56.x86_64.rpm
    MD5: 68d6850be729745b51ae8ec7dc34457c
    SHA-256: 6e917c81ac8db46b59756435b58f055d41ec726fd748d887e07caf34ba51480f
    Size: 1.79 MB