nodejs:18 security, bug fix, and enhancement update
エラータID: AXSA:2023-6463:01
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (18). (BZ#2223313, BZ#2234404)
Security Fix(es):
* nodejs: Permissions policies can be bypassed via Module._load (CVE-2023-32002)
* nodejs-semver: Regular expression denial of service (CVE-2022-25883)
* nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire() (CVE-2023-32006)
* nodejs: Permissions policies can be bypassed via process.binding (CVE-2023-32559)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2022-25883
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
CVE-2023-32002
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32006
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32559
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Modularity name: "nodejs"
Stream name: "18"
Update packages.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
N/A
SRPMS
- nodejs-nodemon-3.0.1-1.module+el9+1017+47e88fad.src.rpm
MD5: e5abc5b9b062ee06da43a1e12d6f9008
SHA-256: da5de9e22b107abc4d539a9b8202032cb20348678061ba23719157298b169d04
Size: 339.27 kB - nodejs-packaging-2021.06-4.module+el9+1017+47e88fad.src.rpm
MD5: cb339affdcae4ac4dae7aabda3e0b778
SHA-256: 80e06a7cabcb23cb2434da8008c9d8821a3c0e1ef8dbe0d798265bf946932747
Size: 26.54 kB - nodejs-18.17.1-1.module+el9+1017+47e88fad.src.rpm
MD5: 1e58a6e3f36cd1dab689d770fdc5dcd2
SHA-256: c13e785e9e97d8a8f982afd97f1fca5125fab5f669e3d05b0f64eec4f421020b
Size: 123.66 MB
Asianux Server 9 for x86_64
- nodejs-18.17.1-1.module+el9+1017+47e88fad.x86_64.rpm
MD5: 22876d51cfc26d69b8cb70149051c6c2
SHA-256: 2c8dd86b722b2e592dbfacb04a6928f48fe3f38c64884a14de38949820ada62b
Size: 12.57 MB - nodejs-debugsource-18.17.1-1.module+el9+1017+47e88fad.x86_64.rpm
MD5: 9755ed0cdae7b31dfd0e4afb57caf082
SHA-256: 9b3535f866a266d6a474348db1945178b7ca7e45bec6c48db6b1f7aa1b79ee38
Size: 11.63 MB - nodejs-devel-18.17.1-1.module+el9+1017+47e88fad.x86_64.rpm
MD5: 0d59ae9b3f41452568369f6522eecf51
SHA-256: c1183c227dec383b7319f0db0737994bd7a5e8b332722c4261849f44530a8d44
Size: 183.48 kB - nodejs-docs-18.17.1-1.module+el9+1017+47e88fad.noarch.rpm
MD5: 08e97cdf756ece87e666065a2329f91b
SHA-256: 8fd106cca067578740a5d548de8314b15ff46979ff210aea14fa317b49ae9a23
Size: 7.59 MB - nodejs-full-i18n-18.17.1-1.module+el9+1017+47e88fad.x86_64.rpm
MD5: 8c25d1a9cbdefae40f3ff3b6393a9303
SHA-256: dd820408f5f96dd4c3f44a29affb4439e0943a3eacefb9ef56d5776a66b35f65
Size: 8.51 MB - nodejs-nodemon-3.0.1-1.module+el9+1017+47e88fad.noarch.rpm
MD5: 9464c56b231d70fca102f409cfdb8a76
SHA-256: 6daf194681468677e8959e0bef496a8621162b559dcaa42fe3d5cd66454b8fe6
Size: 268.42 kB - nodejs-packaging-2021.06-4.module+el9+1017+47e88fad.noarch.rpm
MD5: 8fdc45dcaf187f73cfeecce8d3a960b6
SHA-256: aa1bd4cb0e7ca63308ef3090ecdbed9edb78c6e442714046d93ece21d8c5bf7c
Size: 19.91 kB - nodejs-packaging-bundler-2021.06-4.module+el9+1017+47e88fad.noarch.rpm
MD5: 374589c4c0676406d15d7fa534d65202
SHA-256: 56107b31a7d656e56260bdc909b3ab9b6e22947587a0a45201a0a76c3259f96d
Size: 9.76 kB - npm-9.6.7-1.18.17.1.1.module+el9+1017+47e88fad.x86_64.rpm
MD5: 6d83c1324993304a75643ed6cd845b5e
SHA-256: d34e9ce01a4916c07987dc85272a54d7cb9aeb89de303ad5672f15f787a8c897
Size: 2.02 MB
日本語