nodejs:16 security update
エラータID: AXSA:2024-7628:01
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)
* nodejs: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2024-22019
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
Modularity name: "nodejs"
Stream name: "16"
Update packages.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
N/A
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1735+4bab2d30.src.rpm
MD5: 08472a36f0a9064a4dcf2969eb5719b9
SHA-256: 1167317fc4164e32f86de81d97a6a2e73c166400279234cfc4a7f5a9f08d0fe2
Size: 340.68 kB - nodejs-packaging-26-1.module+el8+1735+4bab2d30.src.rpm
MD5: c8b367ce8be5dd683e9ad69c06f7dd85
SHA-256: ac006c3c614679288b0e5f70ffc4865539820110a5a748d87b3f8b87e3ab4f82
Size: 29.27 kB - nodejs-16.20.2-4.module+el8+1735+4bab2d30.src.rpm
MD5: b3ca9314ed562b14529118f02240e3af
SHA-256: ac5d8914b121c716fd2dae5b747ad5d8ae3c7e7b092039ab13ac057ba3108649
Size: 71.57 MB
Asianux Server 8 for x86_64
- nodejs-16.20.2-4.module+el8+1735+4bab2d30.x86_64.rpm
MD5: ee577df02aa5b37586631fdcbd01840b
SHA-256: 8bbdfc5e6a79bc23c61a4610913fef1326cd8a6a4ae830184bdc6edd7a6065f3
Size: 12.28 MB - nodejs-debugsource-16.20.2-4.module+el8+1735+4bab2d30.x86_64.rpm
MD5: af82d214bd541fb74dcb912655593635
SHA-256: ec6b94667789914bd3d39be3a33f9dc25702cccb9fe7edb4204a811ab7d84de6
Size: 13.06 MB - nodejs-devel-16.20.2-4.module+el8+1735+4bab2d30.x86_64.rpm
MD5: 1f453fb42f030078153f4eead88bd1e5
SHA-256: 0cba570ee5e99838f0ffec0960f41e8e06f3624ecdcf4e7771914c030c9e1a8f
Size: 192.75 kB - nodejs-docs-16.20.2-4.module+el8+1735+4bab2d30.noarch.rpm
MD5: 1049259e8af4c705ca9df653b3ca90ef
SHA-256: c086ebeb310fb29beae4f38319ea98f32b9b120c8586d60ba3e442ea277ace33
Size: 9.35 MB - nodejs-full-i18n-16.20.2-4.module+el8+1735+4bab2d30.x86_64.rpm
MD5: e709473dcaea5a6615ab3ef7b2109480
SHA-256: cc3c432463a8efd0feec31eb65941e7f82c0dde8115bbb0cb6bb8812773ff685
Size: 8.01 MB - nodejs-nodemon-3.0.1-1.module+el8+1735+4bab2d30.noarch.rpm
MD5: db02394332bb91c5abd00acd7ea5e696
SHA-256: e20b9a44781925f790b6d323f96333f094f6f5ce4aa850d5d8a02785000ac649
Size: 282.09 kB - nodejs-packaging-26-1.module+el8+1735+4bab2d30.noarch.rpm
MD5: 563248a86e801b9e4dba8d19e41c73c4
SHA-256: 48c4f4fd341f8978e111aa28833d579980730f301f8e56befe8139cd9391ee6e
Size: 23.37 kB - npm-8.19.4-1.16.20.2.4.module+el8+1735+4bab2d30.x86_64.rpm
MD5: 4e110e69eaa576aff80bc6a2fbe36e66
SHA-256: 3f5e171091e1a39374c3b9f77c0a35eebdd9986469d7a22650d22e20965298e2
Size: 1.88 MB
日本語