nodejs:14 security, bug fix, and enhancement update

エラータID: AXSA:2023-5289:01

Release date: 
Thursday, April 13, 2023 - 04:48
Subject: 
nodejs:14 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs
(14.21.3).

Security Fix(es):

* decode-uri-component: improper input validation resulting in DoS
(CVE-2022-38900)
* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
* c-ares: buffer overflow in config_sortlist() due to missing string length
check (CVE-2022-4904)
* http-cache-semantics: Regular Expression Denial of Service (ReDoS)
vulnerability (CVE-2022-25881)
* Node.js: Permissions policies can be bypassed via process.mainModule
(CVE-2023-23918)
* Node.js: insecure loading of ICU data through ICU_DATA environment variable
(CVE-2023-23920)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE-2021-35065
The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.
CVE-2022-3517
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
CVE-2022-4904
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
CVE-2022-25881
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
CVE-2022-38900
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
CVE-2023-23920
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

Modularity name: nodejs
Stream name: 14

Solution: 

Update packages.

CVEs: 
CVE-2021-35065
The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.
CVE-2022-25881
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
CVE-2022-3517
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
CVE-2022-38900
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
CVE-2022-4904
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
CVE-2023-23920
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.20-3.module+el8+1599+21daafeb.src.rpm
    MD5: 1ed9828951c3ad377ff7c143ad06f3fe
    SHA-256: cc52e036cca3d52e4ab7248961530812f5191e9cd4755e59d3278efd224420b0
    Size: 342.75 kB
  2. nodejs-packaging-23-3.module+el8+1599+21daafeb.src.rpm
    MD5: 63c7a02ca67406a54e9509b09a87190d
    SHA-256: 384efa3da9234de1561a6b31685166b5f85278a3f000bbfaf9c7d28c89a86222
    Size: 26.54 kB
  3. nodejs-14.21.3-1.module+el8+1599+21daafeb.src.rpm
    MD5: 2b533d95938ea21a62f9f35e8193ede1
    SHA-256: 626edd34b71c2cf0e49bcf2579239cab8b850b3d341cba6a39928f21ab62e564
    Size: 67.93 MB

Asianux Server 8 for x86_64
  1. nodejs-14.21.3-1.module+el8+1599+21daafeb.x86_64.rpm
    MD5: c91cda1cbf2da85c450e741ffd9c2655
    SHA-256: c19952043203bb0079e876b0c86d831ad596778c22dda62dd670b3011a6b08f3
    Size: 10.86 MB
  2. nodejs-debugsource-14.21.3-1.module+el8+1599+21daafeb.x86_64.rpm
    MD5: 9abc0792f3e1a116b5f457218f9fc012
    SHA-256: 1548060a4021fbe3161540b842c8db3448ff768a4d730dd3e1c14aefbb5a99c4
    Size: 11.06 MB
  3. nodejs-devel-14.21.3-1.module+el8+1599+21daafeb.x86_64.rpm
    MD5: fb4431ed9edd994d925a79b9db2e3c50
    SHA-256: 3097f6c71b15ff4e5f55cb75c09ef79f25e5f07dc9293bb55561f1d23b98c712
    Size: 205.34 kB
  4. nodejs-docs-14.21.3-1.module+el8+1599+21daafeb.noarch.rpm
    MD5: 6bc5a9ea499f3874f46117169ce486fe
    SHA-256: a39347b2477ca61b4d9c37d9a4cba44377c3efcd2317c4927af7c2c19bc4da99
    Size: 8.04 MB
  5. nodejs-full-i18n-14.21.3-1.module+el8+1599+21daafeb.x86_64.rpm
    MD5: 1550ab526c55e395182d986355a9e0f2
    SHA-256: 3ef496d4362cbde668c807935dd8c41aaf58fd6dcdaff139f196cb527f0cd525
    Size: 7.85 MB
  6. nodejs-nodemon-2.0.20-3.module+el8+1599+21daafeb.noarch.rpm
    MD5: b7c2c42d1d2dcf36ff7c54e63766f657
    SHA-256: 62d7007a3fe7ee466237e02b39687b9c0e912df738135b9759d8cd951a7e8ef7
    Size: 274.65 kB
  7. nodejs-packaging-23-3.module+el8+1599+21daafeb.noarch.rpm
    MD5: 1839a8978c9c5ef27686cd1d16f58d9b
    SHA-256: bdb923faceb7011357a7ad69f2e7d1282a91959b2ab0ac79c9338f2ec9ed0c93
    Size: 22.98 kB
  8. npm-6.14.18-1.14.21.3.1.module+el8+1599+21daafeb.x86_64.rpm
    MD5: eb22566ee7b7a53f7992eb7768b7ee9f
    SHA-256: ec636c2c390c30a9d8e1580f15e5ef1177618e34261620bd492a79dc8d895db3
    Size: 3.76 MB