nodejs:16 security update

エラータID: AXSA:2023-6328:01

Release date: 
Thursday, August 10, 2023 - 12:06
Subject: 
nodejs:16 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The package has been upgraded to a later upstream version: nodejs (16.20.1). (BZ#2223678, BZ#2223680, BZ#2223682, BZ#2223684, BZ#2223686, BZ#2223688)

Security Fix(es):

* nodejs: mainModule.proto bypass experimental policy mechanism (CVE-2023-30581)
* nodejs: process interuption due to invalid Public Key information in x509 certificates (CVE-2023-30588)
* nodejs: HTTP Request Smuggling via Empty headers separated by CR (CVE-2023-30589)
* nodejs: DiffieHellman do not generate keys after setting a private key (CVE-2023-30590)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-30581
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30588
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
CVE-2023-30590
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Modularity name: nodejs
Stream name: 16

Solution: 

Update packages.

CVEs: 
CVE-2023-30581
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30588
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
CVE-2023-30590
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.20-3.module+el8+1652+4ee522e3.src.rpm
    MD5: 65b36d5274bbdf2af25695846d6bc3f9
    SHA-256: 88020c6d6b05ded460ecff0b9341e71431dcda97f1c12e37925a6eb38b3179a0
    Size: 395.30 kB
  2. nodejs-packaging-25-1.module+el8+1652+4ee522e3.src.rpm
    MD5: 408731dc6dde426d172611eb6543be49
    SHA-256: 8a856d2fa6557adb2f6a48b2ba7af494bb5b77eb9eb13ed9839ae00a1524db9b
    Size: 26.80 kB
  3. nodejs-16.20.1-1.module+el8+1652+4ee522e3.src.rpm
    MD5: a56a581c34917fd9c3e4c541a8ba038c
    SHA-256: 34c5a66d69af2c854bb20e2495bad2dfc0de258f0871f993301278811c7f6f8a
    Size: 70.74 MB

Asianux Server 8 for x86_64
  1. nodejs-16.20.1-1.module+el8+1652+4ee522e3.x86_64.rpm
    MD5: c125a1744018742494d5c9fb3110ba19
    SHA-256: 50b3e66f95893ec972017b730cb6e4741e435d81cea18859a36caa05a1136671
    Size: 12.27 MB
  2. nodejs-debugsource-16.20.1-1.module+el8+1652+4ee522e3.x86_64.rpm
    MD5: 1e0e7c54d281d0f31269d88e7039504d
    SHA-256: 64153705840b5bf33de75d74031815fcc0c93a4ff3e984b94071c370163f4ea4
    Size: 13.04 MB
  3. nodejs-devel-16.20.1-1.module+el8+1652+4ee522e3.x86_64.rpm
    MD5: 64d040d6a1435f763a9649cd9eb7c104
    SHA-256: 84406c98bf16c085b207b740dda6363c8cfd9b49059b56486a82926c05a7795c
    Size: 192.28 kB
  4. nodejs-docs-16.20.1-1.module+el8+1652+4ee522e3.noarch.rpm
    MD5: 50ccca12c9c966ce2850d9f4739919c0
    SHA-256: dc01e3f010533c89f222591fb26b1f9547532ca3ccc9a88973a6aa22a7ae80d4
    Size: 9.35 MB
  5. nodejs-full-i18n-16.20.1-1.module+el8+1652+4ee522e3.x86_64.rpm
    MD5: b4e1fb8ce063fcad25f87b081162199d
    SHA-256: 36c3928ac035f9e6ee62847c3c4bd896e9e264c194b187de62dd43a7b0a700d4
    Size: 8.01 MB
  6. nodejs-nodemon-2.0.20-3.module+el8+1652+4ee522e3.noarch.rpm
    MD5: 1ae4782101f38c740dd02d3ebf85c902
    SHA-256: 915ee475864311e919180eb2bf8aeccfa412506bab0d4aaf7e7115e144542246
    Size: 272.63 kB
  7. nodejs-packaging-25-1.module+el8+1652+4ee522e3.noarch.rpm
    MD5: e7997a39657ea52e22c9e7d4e0b72648
    SHA-256: 7b1e2ad1eb8d42f3047a18f25eda47b01851d3d4d06ce70f324d01c36bd91f89
    Size: 23.19 kB
  8. npm-8.19.4-1.16.20.1.1.module+el8+1652+4ee522e3.x86_64.rpm
    MD5: 2392921161faf355360a0932d4e9cb1b
    SHA-256: 0e299d8342c9148a22208733280ec2a9577a230265a281c47496861dc18f5be1
    Size: 1.88 MB