nodejs:18 security update

エラータID: AXSA:2023-6525:01

Release date:

Friday, October 20, 2023 - 12:31

Subject:

Affected Channels:

MIRACLE LINUX 9 for x86_64

Severity:

High

Description:

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
* nodejs: integrity checks according to policies can be circumvented (CVE-2023-38552)
* nodejs: code injection via WebAssembly export names (CVE-2023-39333)
* node-undici: cookie leakage (CVE-2023-45143)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-38552
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
CVE-2023-39333
RESERVED
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-45143
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Modularity name: "nodejs"
Stream name: "18"

Solution:

Update packages.

CVEs:

CVE-2023-39333
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-45143
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Additional Info:

N/A

Download:

SRPMS

nodejs-nodemon-3.0.1-1.module+el9+1018+1b955d7b.src.rpm
MD5: 0cdf82433a39a21df1ea4824985f3150
SHA-256: 4761126e4f6c52a2c6e9a1f5c0be73586c38cb6d2a84e70f317c4d488e920baf
Size: 339.27 kB
nodejs-packaging-2021.06-4.module+el9+1018+1b955d7b.src.rpm
MD5: 1c127cf2808a29329ab9058cafcc1e8e
SHA-256: 7f2bcf6f40b38e8404f3e71f56558e44034d3f0f68e9a39eb1bba6b0d8fdad7b
Size: 26.54 kB
nodejs-18.18.2-2.module+el9+1018+1b955d7b.src.rpm
MD5: 6703450e079bd6b6cfcba8eebaf48eb4
SHA-256: fa705b6093fc91cafa778f1e3e4318eacef8aef31cb4c79d8d0683d4d3c1346e
Size: 122.96 MB

Asianux Server 9 for x86_64

nodejs-18.18.2-2.module+el9+1018+1b955d7b.x86_64.rpm
MD5: e68f54437923016c09e14a5026488506
SHA-256: 9b3c32401b7cbfa42dbbd5e7635997232e1e946566d910bf2ee825776a2515b8
Size: 12.56 MB
nodejs-debugsource-18.18.2-2.module+el9+1018+1b955d7b.x86_64.rpm
MD5: ef6ac00b8babb944ddf83c8f4c04c7c0
SHA-256: 8606d385117c035065072ea4b650b84b10c8b94bb5d84880ff83f0112e6d0bd9
Size: 11.67 MB
nodejs-devel-18.18.2-2.module+el9+1018+1b955d7b.x86_64.rpm
MD5: a0d05ae5e636cbc01d05e9dc2d6c08f3
SHA-256: cd24c66d02ef704e6d5b483cf9a71348e3c6e21a43f2acd65b162801e371c45c
Size: 183.36 kB
nodejs-docs-18.18.2-2.module+el9+1018+1b955d7b.noarch.rpm
MD5: b06132737e70fdd317dc60f3895ba9ac
SHA-256: d8c14cf81a1bf108f8bb2eaaa545a45cbacf4476c63b8364183a5281cde4069d
Size: 7.62 MB
nodejs-full-i18n-18.18.2-2.module+el9+1018+1b955d7b.x86_64.rpm
MD5: d844117b71d0053778764ddeb58eedb1
SHA-256: fb39aa1725d9da74405b82a70d45c046bc2b67706df22100d63280807f90974d
Size: 8.52 MB
nodejs-nodemon-3.0.1-1.module+el9+1018+1b955d7b.noarch.rpm
MD5: fac3331f522e959638b143116a4b4982
SHA-256: 8b8d00cecec19a6134962689222e85c2228fe9e5f541c8ac918bd3c95cf2ce15
Size: 268.41 kB
nodejs-packaging-2021.06-4.module+el9+1018+1b955d7b.noarch.rpm
MD5: cb0d469841abc8acf2671099cfda87fc
SHA-256: b32def411e41b55d92b9deb9d5390237865761617c999ff5ebc3304aad32f932
Size: 19.91 kB
nodejs-packaging-bundler-2021.06-4.module+el9+1018+1b955d7b.noarch.rpm
MD5: 8304256ea40096f96ef5792a1519b9b7
SHA-256: fff66cc2e24fb9da0da9571d1de7faaaf0edad901ef06539a8eae02617ad9c4c
Size: 9.76 kB
npm-9.8.1-1.18.18.2.2.module+el9+1018+1b955d7b.x86_64.rpm
MD5: 8ae98db0c10cf2d7d3f7b0c515b1cf60
SHA-256: bb471149b1ecaee68fb55d0f64be3a1ec2834576f2ada974c8e7c8eaa2bd4c99
Size: 2.01 MB

日本語

Main menu

You are here

nodejs:18 security update