nodejs:18 security, bug fix, and enhancement update

エラータID: AXSA:2023-6295:01

Release date: 
Friday, August 4, 2023 - 05:34
Subject: 
nodejs:18 security, bug fix, and enhancement update
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The package has been upgraded to a later upstream version: nodejs (18).

Security Fix(es):

* nodejs: mainModule.proto bypass experimental policy mechanism (CVE-2023-30581)
* nodejs: process interuption due to invalid Public Key information in x509 certificates (CVE-2023-30588)
* nodejs: HTTP Request Smuggling via Empty headers separated by CR (CVE-2023-30589)
* nodejs: DiffieHellman do not generate keys after setting a private key (CVE-2023-30590)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-30581
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30588
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
CVE-2023-30590
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Modularity name: nodejs
Stream name: 18

Solution: 

Update packages.

CVEs: 
CVE-2023-30581
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30588
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
CVE-2023-30590
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.20-2.module+el9+1015+11cf0e3c.src.rpm
    MD5: 076ab04a5fc704e945cc04373849272b
    SHA-256: cd2f2858b345d4bc088c1b2ad32eeebdc0363544ccead053f9a27cb54b24217b
    Size: 341.80 kB
  2. nodejs-packaging-2021.06-4.module+el9+1015+11cf0e3c.src.rpm
    MD5: f36c8c93d1a337f58bdddb4ed9146dfc
    SHA-256: 5b853a17bf8714367613ad3adcfe339e07bbc6d83d37e0d47616cfef0c54eb98
    Size: 26.54 kB
  3. nodejs-18.16.1-1.module+el9+1015+11cf0e3c.src.rpm
    MD5: e141626bc1f4f6c549ef6252f110206d
    SHA-256: 8371d77b26949252aeb4bf9f739565140149a44e981b6d3627a399579699bd71
    Size: 176.54 MB

Asianux Server 9 for x86_64
  1. nodejs-18.16.1-1.module+el9+1015+11cf0e3c.x86_64.rpm
    MD5: 1942956487672f8d452f324e6cb757c8
    SHA-256: 87472345a215dd451d54f1de720f43223e69cf9286d4aa15a52306d7223b3f1c
    Size: 12.28 MB
  2. nodejs-debugsource-18.16.1-1.module+el9+1015+11cf0e3c.x86_64.rpm
    MD5: 0b3f7bd967b321f18d796e5b7fc0b20b
    SHA-256: 0b032a915e0552b956273e4937d9e3c6258effbbb18a004173af3103188bc5de
    Size: 11.31 MB
  3. nodejs-devel-18.16.1-1.module+el9+1015+11cf0e3c.x86_64.rpm
    MD5: b58190e43a09dd369c2475ac473203d1
    SHA-256: 9d27b35c3aa6956e07077528e73f6127e7c3f7b6f44d9b079524d5a097e55fd8
    Size: 183.39 kB
  4. nodejs-docs-18.16.1-1.module+el9+1015+11cf0e3c.noarch.rpm
    MD5: d46c1503c0de0efbda99bebca2677cf7
    SHA-256: c0a3376ab922f26146a4b6b7b8cd5585237064738d9a76ee3d9837379c9ae3c7
    Size: 7.52 MB
  5. nodejs-full-i18n-18.16.1-1.module+el9+1015+11cf0e3c.x86_64.rpm
    MD5: 75a5cfe3b12a21acb9bb2b1f5add1415
    SHA-256: 7813edb6788e82e42c2f749f837472784bd57eb31f921546cfc5368af761e0a8
    Size: 8.38 MB
  6. nodejs-nodemon-2.0.20-2.module+el9+1015+11cf0e3c.noarch.rpm
    MD5: 76bbaf07425cb179d01b3e7e1bdfe034
    SHA-256: 95b9d3ecb2458145e39daa0ca29374e332fc76030e0bbe90963b6aff943b6a9c
    Size: 260.76 kB
  7. nodejs-packaging-2021.06-4.module+el9+1015+11cf0e3c.noarch.rpm
    MD5: eacf9ddf997e2f6b4af785e46084fa0a
    SHA-256: 06a81eadf189c593fb087e89b8302be98ae0aa55d87c371e0586f9b9e345bb75
    Size: 19.91 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el9+1015+11cf0e3c.noarch.rpm
    MD5: 7d100d67a2ee440820103b223df4128d
    SHA-256: 8bb27574387c12aa0a2b4a0bc13a728108d01fb3418fb8cabd940c8e84e4f1fb
    Size: 9.76 kB
  9. npm-9.5.1-1.18.16.1.1.module+el9+1015+11cf0e3c.x86_64.rpm
    MD5: 56d2c26fb52ec6a6e9bf7b4bd140d06c
    SHA-256: 207f9aa758f22cff0864f34343a871cd727a3f024006b7d519b80838b6db98e6
    Size: 1.97 MB