nodejs:18 security, bug fix, and enhancement update
エラータID: AXSA:2023-6466:01
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: nodejs (18). (BZ#2234409)
Security Fix(es):
* nodejs: Permissions policies can be bypassed via Module._load (CVE-2023-32002)
* nodejs-semver: Regular expression denial of service (CVE-2022-25883)
* nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire() (CVE-2023-32006)
* nodejs: Permissions policies can be bypassed via process.binding (CVE-2023-32559)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2022-25883
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
CVE-2023-32002
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32006
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32559
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
Modularity name: "nodejs"
Stream name: "18"
Update packages.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
N/A
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1663+1234d7c6.src.rpm
MD5: 3b3733f3578fff16658d9591d3f355bf
SHA-256: 0d44528e06c88b29bf36c7419e1f4ac39f369471d9eea271b7e76097b003463e
Size: 340.68 kB - nodejs-packaging-2021.06-4.module+el8+1663+1234d7c6.src.rpm
MD5: 06d1727528e6ccc2f769f30737025339
SHA-256: 412e3b8fd345ba86776a2194bf1cb65be959f4028037b38d97e05f3b32c50dec
Size: 30.29 kB - nodejs-18.17.1-1.module+el8+1663+1234d7c6.src.rpm
MD5: ad8b7458c335b48fac2f88c33b0358ab
SHA-256: a363f303de46f7504f05af13650baf1c196930cb4da6a1b0e09a8a910d356c7d
Size: 123.66 MB
Asianux Server 8 for x86_64
- nodejs-18.17.1-1.module+el8+1663+1234d7c6.x86_64.rpm
MD5: 00a60a02ac3b3e7509d0436b820000ed
SHA-256: 6c3ff5b77ab2df2ef5fbd844c13f30e92b9e6a9c4eaa260b0cb623284a67a181
Size: 13.41 MB - nodejs-debugsource-18.17.1-1.module+el8+1663+1234d7c6.x86_64.rpm
MD5: 68638eda4ef4dd117b5e571b184abc5c
SHA-256: 13cceda2808a1ee65997ace12014e1488007180bd50c7facbddfcd45ce8ff049
Size: 14.42 MB - nodejs-devel-18.17.1-1.module+el8+1663+1234d7c6.x86_64.rpm
MD5: f3cf3a1b3fc0c85c3e040673c47b9565
SHA-256: 3486929c414c5fb302c4889b21425c10b0e47f98e65bacc5ddef23374bfd0f06
Size: 206.74 kB - nodejs-docs-18.17.1-1.module+el8+1663+1234d7c6.noarch.rpm
MD5: 8dd7b13ce9a2ffa95db61c6daf02af84
SHA-256: 9a44769e3a82f90b307ef99641b3098db17cba2877c2ce049665beb4f436d37f
Size: 9.98 MB - nodejs-full-i18n-18.17.1-1.module+el8+1663+1234d7c6.x86_64.rpm
MD5: ca2888f607f11c9ee8b3a0649ef70d02
SHA-256: 3c752c8e07b2042a6a86c571f1427ef296b2a90017ec72fabecb7ec743c92d8e
Size: 8.24 MB - nodejs-nodemon-3.0.1-1.module+el8+1663+1234d7c6.noarch.rpm
MD5: d45d6c018d0a762bb34d18afce997cdc
SHA-256: 916ec4d0bfb06c94891436c41eca8fb2502257632c63a87fc78237347bcaa8be
Size: 282.10 kB - nodejs-packaging-2021.06-4.module+el8+1663+1234d7c6.noarch.rpm
MD5: 3e271585c5e292410d461c36b5d47fc7
SHA-256: c506f16f78ed206acfef55b5e5cfeec2491d1d12d8f365419e598f8717a5932f
Size: 24.14 kB - nodejs-packaging-bundler-2021.06-4.module+el8+1663+1234d7c6.noarch.rpm
MD5: 1b5d6071bfdb966b606a9753360ac443
SHA-256: 5dd06d7fd9b19305924c60ca0f1ef3f43f84c78522135420d046a37cb7600fb0
Size: 13.76 kB - npm-9.6.7-1.18.17.1.1.module+el8+1663+1234d7c6.x86_64.rpm
MD5: 6d820e904add2072c5b1f19ebe8fbf09
SHA-256: 91b643d970f5c20c2bf8753420436fe6b491dff3fa68cc60cebfd152d5bd7248
Size: 2.26 MB
日本語