nodejs:18 security update

エラータID: AXSA:2023-6083:01

Release date: 
Tuesday, June 20, 2023 - 08:06
Subject: 
nodejs:18 security update
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)
* c-ares: Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)
* c-ares: Insufficient randomness in generation of DNS query IDs (CVE-2023-31147)
* c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation (CVE-2023-31124)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-31124
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
CVE-2023-31130
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
CVE-2023-31147
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
CVE-2023-32067
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.

Modularity name: nodejs
Stream name: 18

Solution: 

Update packages.

CVEs: 
CVE-2023-31124
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
CVE-2023-31130
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
CVE-2023-31147
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
CVE-2023-32067
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.20-2.module+el9+1013+246c6553.src.rpm
    MD5: 2e12b29fdd26f6cfbfd5798fb89de97d
    SHA-256: b1fe3a755f87c66ba4c14fcb6bc7240a65a9b0d304656fd117df61b4838bea8a
    Size: 341.80 kB
  2. nodejs-packaging-2021.06-4.module+el9+1013+246c6553.src.rpm
    MD5: e3599b3a0837c7c6f3e6241eccfdb934
    SHA-256: b515a692bae858794ff74ec3d1a93397220e45a8d3c1b4612ef6fd72c9c0d463
    Size: 26.54 kB
  3. nodejs-18.14.2-3.module+el9+1013+246c6553.src.rpm
    MD5: a8571727d3a87887e18933d008b91857
    SHA-256: 4971767c74d2cad16079d4e34be35a64510009180805a7b8d8cc6b7c57c3b2d6
    Size: 175.46 MB

Asianux Server 9 for x86_64
  1. nodejs-18.14.2-3.module+el9+1013+246c6553.x86_64.rpm
    MD5: deefb5da7fa24d4d0aff3d3f05922de3
    SHA-256: 9441c699da10ffba29a5c67fad2a7c88a4ee0d4cbca335623e01f54f65f21f85
    Size: 12.29 MB
  2. nodejs-debugsource-18.14.2-3.module+el9+1013+246c6553.x86_64.rpm
    MD5: b55f7216f885776784f3f3055b5d5006
    SHA-256: 29e3101b1c8f2453aa03bd9a2d8958b8f6348fd6425896b849b4d82e7bc8bee4
    Size: 11.26 MB
  3. nodejs-devel-18.14.2-3.module+el9+1013+246c6553.x86_64.rpm
    MD5: 41d2cdc2cec4ff02b08d83ea9b9f6081
    SHA-256: f414e7ef3ae1bf28d0707e57d03530045c176eaf5b2d2731a286c06248bf6884
    Size: 183.14 kB
  4. nodejs-docs-18.14.2-3.module+el9+1013+246c6553.noarch.rpm
    MD5: 7b16206257d78e83980aaa1f597e8eed
    SHA-256: 9f596c2be380cfa6e58da8aa0290826250ee1af27b14802af9603e5cae0c6733
    Size: 7.42 MB
  5. nodejs-full-i18n-18.14.2-3.module+el9+1013+246c6553.x86_64.rpm
    MD5: f15d53d4eaa84b61bb8ce7d4c8fe8b18
    SHA-256: 5575e1db2e511c0cc4ef69a1fa52640871bd787e58e98641533cc20ff5f53db1
    Size: 8.38 MB
  6. nodejs-nodemon-2.0.20-2.module+el9+1013+246c6553.noarch.rpm
    MD5: 95e3827ca808cb0ae6fc5aa226b8f309
    SHA-256: 960f26441c6d4b6e13ec0ebaed154281fab4bc8d76a663c812f69afe9efacd69
    Size: 260.74 kB
  7. nodejs-packaging-2021.06-4.module+el9+1013+246c6553.noarch.rpm
    MD5: a8ffcb2989c549c512beb6ddb58844a4
    SHA-256: 49456dc4d83303c56186cf75e4a992b9cb3f3ca4f360dad089f1f44f56924d13
    Size: 19.92 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el9+1013+246c6553.noarch.rpm
    MD5: a6e2ec17d49682768e21e70a9d02ecee
    SHA-256: 2fca9d2fc5a1886c6be8404bb9efb402ad165dd5ce6a807e0b425f52364ac574
    Size: 9.76 kB
  9. npm-9.5.0-1.18.14.2.3.module+el9+1013+246c6553.x86_64.rpm
    MD5: 04af508cca7dad442b6c086df9ea8f35
    SHA-256: 23e9576644b726f7298ed6f7c65f741c72e42f7ed6c7e2241d747a87ed595d29
    Size: 1.96 MB