nodejs:18 security, bug fix, and enhancement update

エラータID: AXSA:2023-6339:01

Release date: 
Wednesday, August 16, 2023 - 08:19
Subject: 
nodejs:18 security, bug fix, and enhancement update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The package has been upgraded to a later upstream version: nodejs (18.16.1).

Security Fix(es):

nodejs: mainModule.proto bypass experimental policy mechanism
(CVE-2023-30581)
nodejs: process interuption due to invalid Public Key information in x509
certificates (CVE-2023-30588)
nodejs: HTTP Request Smuggling via Empty headers separated by CR
(CVE-2023-30589)
nodejs: DiffieHellman do not generate keys after setting a private key
(CVE-2023-30590)

CVE(s):
CVE-2023-30581
CVE-2023-30588
CVE-2023-30589
CVE-2023-30590

Modularity name: nodejs
Stream name: 18

Solution: 

Update packages.

CVEs: 
CVE-2023-30581
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30588
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
CVE-2023-30590
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-2.0.20-2.module+el8+1657+e8eed1e5.src.rpm
    MD5: ef1c3aded88407e88a63c6a4c1bbf175
    SHA-256: a9523fa7468549e3a9e54f339d0946467d71bfc215e2040ad099d418d91be3cc
    Size: 342.26 kB
  2. nodejs-packaging-2021.06-4.module+el8+1657+e8eed1e5.src.rpm
    MD5: 83d3fe33bfcd862e0a2b96b009bf625c
    SHA-256: 00e039709ffe168da3eaeb12d388d4d5141dd3c2684a8148735d43da9dfe09d5
    Size: 30.29 kB
  3. nodejs-18.16.1-1.module+el8+1657+e8eed1e5.src.rpm
    MD5: 664d60b2c4dbb8069e984b2792d4fbda
    SHA-256: bcdeb62b66d0eb4d39f736eb9995e5e8c813fe9f6f89ceb6d81a7ec538a4c558
    Size: 79.01 MB

Asianux Server 8 for x86_64
  1. nodejs-18.16.1-1.module+el8+1657+e8eed1e5.x86_64.rpm
    MD5: 1d93a347108ab4e0c1d0b1ff40479b37
    SHA-256: 792b31317b0568dca87102dd44c6434d2ce509633dfa0c7fa68084fc3b2e1f83
    Size: 13.31 MB
  2. nodejs-debugsource-18.16.1-1.module+el8+1657+e8eed1e5.x86_64.rpm
    MD5: ef5d2ad5337f8bbe31360497ddf34f42
    SHA-256: 7c31685401fa3b321ef0b56688c5a5a64d92b250bbca0a79d240dbd78a937140
    Size: 14.02 MB
  3. nodejs-devel-18.16.1-1.module+el8+1657+e8eed1e5.x86_64.rpm
    MD5: c5decc59e70dcee8e3010f368dca27c9
    SHA-256: cd6b1b4edfad272cf68aec60844cec8118db43063e596b00f1e04f39b5c95af5
    Size: 206.46 kB
  4. nodejs-docs-18.16.1-1.module+el8+1657+e8eed1e5.noarch.rpm
    MD5: b70c3c0fce3f2ac1d7b383f9a3441b01
    SHA-256: ba2e947b85d264b23d51cb14e2340185609cf511b1621d12482107370be8051c
    Size: 9.88 MB
  5. nodejs-full-i18n-18.16.1-1.module+el8+1657+e8eed1e5.x86_64.rpm
    MD5: b0f15750c2825b1c4ff6efc0120461f5
    SHA-256: 1ede93d10d3d6e4d39aa157e143c066608ef40eb8f1cfc6c495b856578b336a4
    Size: 8.18 MB
  6. nodejs-nodemon-2.0.20-2.module+el8+1657+e8eed1e5.noarch.rpm
    MD5: 334ca99461084db215f68bde0f5896e1
    SHA-256: 32fa6ee0380b90d00a1f59b98ab8f8dbec42d990a158a2c7a297120eb472aa23
    Size: 274.23 kB
  7. nodejs-packaging-2021.06-4.module+el8+1657+e8eed1e5.noarch.rpm
    MD5: cf9f387c9e06297c49cc96d52db4e181
    SHA-256: 73c3f8498243d7a0a34d78348871ea258000c6e1b6972c67c2e43707c4695a2a
    Size: 24.14 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el8+1657+e8eed1e5.noarch.rpm
    MD5: 6baa62d2a60aeefa6df38ab82c6030d5
    SHA-256: 602b1923d897f6d0481dbb0c9a73b551e4f1026ae65f94cdde1d0d1a66bc6efd
    Size: 13.76 kB
  9. npm-9.5.1-1.18.16.1.1.module+el8+1657+e8eed1e5.x86_64.rpm
    MD5: 766d2adbae53511b88b5cd0573a44345
    SHA-256: 07816c98c556fce8a1d906ca21d0573c3e9b048881fe231a09d180b9f9240061
    Size: 2.20 MB