nodejs:18 security update

エラータID: AXSA:2023-6227:01

Release date: 
Thursday, July 13, 2023 - 06:20
Subject: 
nodejs:18 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)
* c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)
* c-ares: Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)
* c-ares: Insufficient randomness in generation of DNS query IDs (CVE-2023-31147)
* c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation (CVE-2023-31124)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-4904
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
CVE-2023-31124
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
CVE-2023-31130
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
CVE-2023-31147
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
CVE-2023-32067
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.

Modularity name: nodejs
Stream name: 18

Solution: 

Update packages.

CVEs: 
CVE-2022-4904
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
CVE-2023-31124
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
CVE-2023-31130
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
CVE-2023-31147
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
CVE-2023-32067
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.20-2.module+el8+1650+daaf1bbb.src.rpm
    MD5: 72e039b7e155fde8e0ac25830b9e4b83
    SHA-256: 6c045a86d5b9b8efc5f23640f2e3b7e4a2e744744521a9a90d442281fc95e19d
    Size: 342.26 kB
  2. nodejs-packaging-2021.06-4.module+el8+1650+daaf1bbb.src.rpm
    MD5: ec52742a5a52759babfdbd650e315ff9
    SHA-256: 9acfbc9ffdbd6ce4aa524151f91e13b099a74b40660a0c945e86589956e713d0
    Size: 30.29 kB
  3. nodejs-18.14.2-3.module+el8+1650+daaf1bbb.src.rpm
    MD5: 62e6230543bdee74d4274cbc9e0f9e06
    SHA-256: 7dbb8208e450607b6e6b5c77a79f23f82d2e34a578fb671db89eb6de5bb3947b
    Size: 77.93 MB

Asianux Server 8 for x86_64
  1. nodejs-18.14.2-3.module+el8+1650+daaf1bbb.x86_64.rpm
    MD5: 0c2dfd1170d1266fa756ea06ae1f02a9
    SHA-256: 46c513da900441853c27ec7b34060fa5bfab5d64cd0ce21272ffd0fc7e981883
    Size: 13.40 MB
  2. nodejs-debugsource-18.14.2-3.module+el8+1650+daaf1bbb.x86_64.rpm
    MD5: 85ed9dd764c622e7b49b9dff85334eea
    SHA-256: 7d9d74b1def4a114ef7e0a3cee82e92f08028137dcd090779ae5387ce5a3070a
    Size: 13.96 MB
  3. nodejs-devel-18.14.2-3.module+el8+1650+daaf1bbb.x86_64.rpm
    MD5: a0ff8ff382805de5785654715ed0a649
    SHA-256: 2ffa7f44ad61684bf0b85a1dbcce41e4c7afb6a11f3c2574dde680f33680635e
    Size: 205.99 kB
  4. nodejs-docs-18.14.2-3.module+el8+1650+daaf1bbb.noarch.rpm
    MD5: 253155fef185d7f8e12936f1e0c5bf31
    SHA-256: 8a963aa46d0ae547958e3d6959b94f3cb5e7b37a42ac139a057ae1e59d022fa7
    Size: 9.78 MB
  5. nodejs-full-i18n-18.14.2-3.module+el8+1650+daaf1bbb.x86_64.rpm
    MD5: 744b4354569ec2daeb6f7fcfb70c63b1
    SHA-256: 35bac27a985a8b89320d388afc8744bd1de89df81ed5377be1cc479f3619283c
    Size: 8.18 MB
  6. nodejs-nodemon-2.0.20-2.module+el8+1650+daaf1bbb.noarch.rpm
    MD5: 889445f9b58c6e315d32885249f154c7
    SHA-256: 633e8728a1af042e78a00c895fd3cb1eac7996c989d2a78f3ec1557cc5133206
    Size: 274.24 kB
  7. nodejs-packaging-2021.06-4.module+el8+1650+daaf1bbb.noarch.rpm
    MD5: 9bf96a94cf670aca440742b506c33520
    SHA-256: e947911ed6e4abb0a1f7763785684f4a2f955b6c74e3851fe85ca5824bd02d29
    Size: 24.14 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el8+1650+daaf1bbb.noarch.rpm
    MD5: aea81c14438e1a7d1354604686cda191
    SHA-256: a9fbe2bf43b67de4c084d45a414d75ba56d77cb334218087701008ef599975dc
    Size: 13.76 kB
  9. npm-9.5.0-1.18.14.2.3.module+el8+1650+daaf1bbb.x86_64.rpm
    MD5: 29223229fc26a14968b90997d69f7422
    SHA-256: 11b2cbec23bc0901253bd941b6a2e83b34eec20b11faa155fa4f430024b88d2d
    Size: 2.20 MB