nodejs:20 security update

エラータID: AXSA:2024-7740:01

Release date: 
Friday, May 10, 2024 - 22:08
nodejs:20 security update
Affected Channels: 
Asianux Server 8 for x86_64

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* c-ares: Out of bounds read in ares__read_line() (CVE-2024-25629)
* nghttp2: CONTINUATION frames DoS (CVE-2024-28182)
* nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service (CVE-2024-22025)
* nodejs: CONTINUATION frames DoS (CVE-2024-27983)
* nodejs: HTTP Request Smuggling via Content Length Obfuscation (CVE-2024-27982)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.
c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Modularity name: "nodejs"
Stream name: "20"


Update packages.

Additional Info: 



  1. nodejs-nodemon-3.0.1-1.module+el8+1750+6a160498.src.rpm
    MD5: f8e39e805999631b22d9926a50b7fd22
    SHA-256: 30ca9030970decf42bc74561f8fac168ee16ee8c5de4dca5096868c072d079f7
    Size: 339.85 kB
  2. nodejs-packaging-2021.06-4.module+el8+1750+6a160498.src.rpm
    MD5: 6d61acba0e6dc26044f58f3290deeb58
    SHA-256: 1aac1147aa7fd5d26d373259da21515a6510b5a4e8d0bab4ff19a433f1153613
    Size: 30.29 kB
  3. nodejs-20.12.2-2.module+el8+1750+6a160498.src.rpm
    MD5: 890d2afa8c949307044f52a218a227d7
    SHA-256: 262d230c23983ac3da3289a65d4991f74ccc5f905634b9f51ead50cdc8215cf0
    Size: 81.38 MB

Asianux Server 8 for x86_64
  1. nodejs-20.12.2-2.module+el8+1750+6a160498.x86_64.rpm
    MD5: 68502dc10e0c3c0b53a30343f2e9f0d6
    SHA-256: 0d23b9288f1f0f1453762851b0e3a33e279c91ccdeefdb4d52a944f9b1798e4c
    Size: 14.33 MB
  2. nodejs-debugsource-20.12.2-2.module+el8+1750+6a160498.x86_64.rpm
    MD5: 9f08f3840bd9dcadae0466b957a8a6c8
    SHA-256: ddd2f73c927b5f7a2de8cfa63b6915310da69b363f7625c00b7346077bb69070
    Size: 11.76 MB
  3. nodejs-devel-20.12.2-2.module+el8+1750+6a160498.x86_64.rpm
    MD5: 2164cceb8520008ebfc3daf131e339c1
    SHA-256: a1ffff54d3679f5087ff04d3ca3bdda87cebdfc2e8631c1bd2b7e2f5a23cc95f
    Size: 261.43 kB
  4. nodejs-docs-20.12.2-2.module+el8+1750+6a160498.noarch.rpm
    MD5: a06fded7f9d383c9fd49a4cc0f3ac0e3
    SHA-256: 19c1a356473f249b5c7b5d43ce128231c0a0511491426c0097c7ff42ea4dc7e7
    Size: 10.57 MB
  5. nodejs-full-i18n-20.12.2-2.module+el8+1750+6a160498.x86_64.rpm
    MD5: b827ac82874769371bc1f9f1f1c2aea3
    SHA-256: ea73a89c86704cf3454068df14106df896dc4761374fa9e371dfd66e31f5baf2
    Size: 8.17 MB
  6. nodejs-nodemon-3.0.1-1.module+el8+1750+6a160498.noarch.rpm
    MD5: c0b61e08a7637e48f89bc3c38fe88243
    SHA-256: 61e973160c43e7094108943fb641b4ed4153e144f94c60810061d42bfcb81dcf
    Size: 281.66 kB
  7. nodejs-packaging-2021.06-4.module+el8+1750+6a160498.noarch.rpm
    MD5: 6211c5a4da0108c767d436e87cb0759f
    SHA-256: 295b2069ad590dd9236881f456b1e1482dae28a809a8bf2a279e931aec2c984c
    Size: 24.14 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el8+1750+6a160498.noarch.rpm
    MD5: 0433935c50f77e2ea7184692e86c3958
    SHA-256: 54fbaba14949fb3a355f4c468c7495475d1d2b127f8c88bb2570cd9830c5f7e3
    Size: 13.76 kB
  9. npm-10.5.0-
    MD5: c9b1bb3d6d8c87b71432576743cd8e9f
    SHA-256: 24abc7ee0b214d7cdbcc8befef69bd7223d122badb99482e1d2ae28eabc7c380
    Size: 2.06 MB