nodejs:18 security, bug fix, and enhancement update

エラータID: AXSA:2023-5259:01

Release date: 
Wednesday, April 5, 2023 - 03:57
Subject: 
nodejs:18 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (18.14.2).

Security Fix(es):

* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
* Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
* Node.js: Fetch API did not protect against CRLF injection in host headers (CVE-2023-23936)
* Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)
* Node.js: Regular Expression Denial of Service in Headers fetch API (CVE-2023-24807)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-35065
The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.
CVE-2022-25881
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
CVE-2023-23920
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
CVE-2023-23936
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
CVE-2023-24807
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.

Modularity name: nodejs
Stream name: 18

Solution: 

Update packages.

CVEs: 
CVE-2021-35065
The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.
CVE-2022-25881
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
CVE-2023-23920
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
CVE-2023-23936
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
CVE-2023-24807
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.20-2.module+el8+1592+98437ef2.src.rpm
    MD5: f242eba21e403e3ae72b63d44c5d1735
    SHA-256: 4502fb4f184a1da859426a0ef5e0b6be111bdceb9ff4883eb340d08dd3480e65
    Size: 342.26 kB
  2. nodejs-packaging-2021.06-4.module+el8+1592+98437ef2.src.rpm
    MD5: f45fbdfa031bbe7e3af08b00ff6a5536
    SHA-256: e470e7922f7782f7e95f02cec0ff8765d73564c465a9589669367f35f766e3a6
    Size: 30.29 kB
  3. nodejs-18.14.2-2.module+el8+1592+98437ef2.src.rpm
    MD5: eb129996130569a9fd78a61eee411a46
    SHA-256: 30a37373b96ebcad3e67a987b8bac1cd161d70ddcf9ecaee53c81462cb7b515b
    Size: 77.80 MB

Asianux Server 8 for x86_64
  1. nodejs-18.14.2-2.module+el8+1592+98437ef2.x86_64.rpm
    MD5: c434239fae42fc7ce827a7a5bf79f0be
    SHA-256: e87a7b29e9757f6750d74b1f9d450aca4ee841765eef96d15fa78306a09b8c3c
    Size: 13.40 MB
  2. nodejs-debugsource-18.14.2-2.module+el8+1592+98437ef2.x86_64.rpm
    MD5: 1bd321d960ba0f478991afb6c3212fa8
    SHA-256: 13aef4d6a3bfdeafb0602b7beb9797c24c54aeb1974fa9d3b12563fdd64d6c53
    Size: 13.96 MB
  3. nodejs-devel-18.14.2-2.module+el8+1592+98437ef2.x86_64.rpm
    MD5: 4c11a86e535d2747593e7b21646129a5
    SHA-256: cc2b36caa719e677d833ded3c29beebf0c8fb523b4c7a2072bd315573962237e
    Size: 205.83 kB
  4. nodejs-docs-18.14.2-2.module+el8+1592+98437ef2.noarch.rpm
    MD5: 85293791d33cf88545704ddd13085271
    SHA-256: 7bc0b28c5e9fc5e4e65836b899b55548b52e218d315bb3c4505a60556b91837f
    Size: 9.78 MB
  5. nodejs-full-i18n-18.14.2-2.module+el8+1592+98437ef2.x86_64.rpm
    MD5: f99a4b6ae10499721a8f043bdf0fd42a
    SHA-256: 25dd11bf6408bdd05168673c8fe15afbde2ad5cbfcc0a71c718debc1b67e0c98
    Size: 8.18 MB
  6. nodejs-nodemon-2.0.20-2.module+el8+1592+98437ef2.noarch.rpm
    MD5: b3e2728520154d777564cb03f8d7d1ac
    SHA-256: 4c55436278a91ee66bcc4d5d7d09781700df91cc97604837e6e2cdc7cbb318ad
    Size: 274.23 kB
  7. nodejs-packaging-2021.06-4.module+el8+1592+98437ef2.noarch.rpm
    MD5: 12330b37bbb8ce6c0fe1f8ecb115173f
    SHA-256: 6cfb36a430d135bc18493c432061d64eb82e77a28aa479e2339219eb1d4da9cc
    Size: 24.14 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el8+1592+98437ef2.noarch.rpm
    MD5: ac55b0710f05d8f957aebc4e7a350e94
    SHA-256: eb661f02190391de80d66134aa3fcc9ef0138f19d5fae337843c0b13b064e372
    Size: 13.76 kB
  9. npm-9.5.0-1.18.14.2.2.module+el8+1592+98437ef2.x86_64.rpm
    MD5: 6f405db9b51c3b4848d895e01a75424d
    SHA-256: 013884877e58c94ba404bf957ed386cb9f10e4b9a327e2fe9e40ab5cbc430330
    Size: 2.20 MB