nodejs:16 security, bug fix, and enhancement update
エラータID: AXSA:2023-6464:01
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (16). (BZ#2233891)
Security Fix(es):
* nodejs: Permissions policies can be bypassed via Module._load (CVE-2023-32002)
* nodejs-semver: Regular expression denial of service (CVE-2022-25883)
* nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire() (CVE-2023-32006)
* nodejs: Permissions policies can be bypassed via process.binding (CVE-2023-32559)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* nodejs:16/nodejs: nodejs.prov doesn't generate the bundled dependency for modules starting @ like @colors/colors (BZ#2237394)
CVE-2022-25883
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
CVE-2023-32002
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32006
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32559
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Modularity name: "nodejs"
Stream name: "16"
Update packages.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
N/A
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1662+5350972c.src.rpm
MD5: 2d9af109363ddeb6d8eb770a126ac38f
SHA-256: 70c4aa66873ef916d4267fa215e91db58b83eca2f3de1fe78c3b1d1b96946579
Size: 340.68 kB - nodejs-packaging-26-1.module+el8+1662+5350972c.src.rpm
MD5: 4eb879cc9a9d80013d82dbae655f8bf6
SHA-256: ce41fee093b06e532451a89a05b909a5cd4459afbc3538f8f0fe340851adcc16
Size: 29.28 kB - nodejs-16.20.2-2.module+el8+1662+5350972c.src.rpm
MD5: 588f1bb3de6cd729535f97287445f017
SHA-256: 10b4096c257488d80b6a43b8f3f266e82badf8e273b49fd0fe0f8d22762d166d
Size: 71.53 MB
Asianux Server 8 for x86_64
- nodejs-16.20.2-2.module+el8+1662+5350972c.x86_64.rpm
MD5: 630436258fc80e3edcaa09e57ddc2dcf
SHA-256: 588fd877b19738e6879d229ebcd8ede27b7f46e9b66d1c92d7cbf33d0e04ea41
Size: 12.27 MB - nodejs-debugsource-16.20.2-2.module+el8+1662+5350972c.x86_64.rpm
MD5: dbc344b0e491118ca2c3086edbdac284
SHA-256: 1047e790c56f2b078b5a246ac57126c98204814bfc23e25fd426658de99821ac
Size: 13.05 MB - nodejs-devel-16.20.2-2.module+el8+1662+5350972c.x86_64.rpm
MD5: a1eb87b32c89ec5b60932d1b340215b0
SHA-256: a8cf65b2da7a3e15381ca38758cf88a0b6d2566e7e52568be5943272226eed18
Size: 192.58 kB - nodejs-docs-16.20.2-2.module+el8+1662+5350972c.noarch.rpm
MD5: 826868f955ef502cb250aef1d5bdb79e
SHA-256: 594d6295a69ba077c748e56034e74881025ef172945e9f4f28fe789ec59c06dd
Size: 9.35 MB - nodejs-full-i18n-16.20.2-2.module+el8+1662+5350972c.x86_64.rpm
MD5: 3801e6bc0716e2a64b2974b22cac7323
SHA-256: ddc65ca94c8530ae842c937fe0b5dde29e41427c1560cc614c41d9b23ced21bc
Size: 8.01 MB - nodejs-nodemon-3.0.1-1.module+el8+1662+5350972c.noarch.rpm
MD5: f0a74bff74df2ac29feab957fe6fc8df
SHA-256: 6f11c7f04e6866e6f8720a11902817388b9bf1ca11cb0b284fc8707b819fc8c3
Size: 282.09 kB - nodejs-packaging-26-1.module+el8+1662+5350972c.noarch.rpm
MD5: c1ce3b277d1bfe209f591ac154b11743
SHA-256: 42ba41676d24fcf0a147a80adf9f8658e290a51319cd7c116c06fa646b1d898c
Size: 23.37 kB - npm-8.19.4-1.16.20.2.2.module+el8+1662+5350972c.x86_64.rpm
MD5: 4b02a50d9e3387dd6d30d66f80731967
SHA-256: 970fcf7d85675c6f8b2f85f601adb8b2c962c8294e54c98610dcf077a698f471
Size: 1.88 MB
日本語