nodejs:20 security update

エラータID: AXSA:2024-8725:01

Release date: 
Wednesday, August 28, 2024 - 14:10
Subject: 
nodejs:20 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* node-tar: denial of service while parsing a tar file due to lack of folders depth validation (CVE-2024-28863)
* nodejs: Bypass network import restriction via data URL (CVE-2024-22020)
* nodejs: fs.lstat bypasses permission model (CVE-2024-22018)
* nodejs: fs.fchown/fchmod bypasses permission model (CVE-2024-36137)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-22018
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-22020
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.
CVE-2024-28863
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
CVE-2024-36137
RESERVED

Modularity name: "nodejs"
Stream name: "20"

Solution: 

Update packages.

CVEs: 
CVE-2024-22018
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-22020
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.
CVE-2024-28863
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
CVE-2024-36137
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-3.0.1-1.module+el8+1798+3a61da1c.src.rpm
    MD5: 01c4ef22cbb3ab70a8bb8c1ec62d5f2d
    SHA-256: a2ec2786b3efe08ae51eb635dc69c434b9641f52a667ccf994883362aba1e2cd
    Size: 339.85 kB
  2. nodejs-packaging-2021.06-4.module+el8+1798+3a61da1c.src.rpm
    MD5: ee2b3215292547b331c987f729a10907
    SHA-256: f482e95c5f86eeed5e94c2f51ddb2d632ef62ae0ddcb5c72560cbffb0f29fe58
    Size: 30.29 kB
  3. nodejs-20.16.0-1.module+el8+1798+3a61da1c.src.rpm
    MD5: ed12b0885f421c12fb06b2bff754925d
    SHA-256: 520eeabf669065421ddf7d593a9dea303be1bfd6ae584a54be81029a2d91c727
    Size: 82.21 MB

Asianux Server 8 for x86_64
  1. nodejs-20.16.0-1.module+el8+1798+3a61da1c.x86_64.rpm
    MD5: 86c8bff4ea43475dd8fa73809f31c9bf
    SHA-256: 415c5e9ec1ea8eda328e8c4711446212807999fea158f74d3f708356385a31b6
    Size: 14.34 MB
  2. nodejs-debugsource-20.16.0-1.module+el8+1798+3a61da1c.x86_64.rpm
    MD5: 67221ccab16cab6df9e14825f89f6759
    SHA-256: adbab61a17560880270adc4f0bb49514a543af0de8adc8bcbd7a3bb8a6686da9
    Size: 11.80 MB
  3. nodejs-devel-20.16.0-1.module+el8+1798+3a61da1c.x86_64.rpm
    MD5: 64f25cab2916fe1c03a2dc0eecc30406
    SHA-256: 1a8de677f97d4bc6b14df78838277d0206030161a0d43d47223af0e0f777cfbe
    Size: 262.05 kB
  4. nodejs-docs-20.16.0-1.module+el8+1798+3a61da1c.noarch.rpm
    MD5: a409928fe7d81cd23428c67786a45d78
    SHA-256: efa3866e73f69574a0677dce5896128d0bf4809fe535f50fe6f5b6fea5abbfaa
    Size: 10.71 MB
  5. nodejs-full-i18n-20.16.0-1.module+el8+1798+3a61da1c.x86_64.rpm
    MD5: 22008986fd2477c52d8f983f8f5c249a
    SHA-256: b3a9a70da70e98e5a17de2d3b4a7ed22a01c7bd4e1965d6fa2cecb16290182c7
    Size: 8.16 MB
  6. nodejs-nodemon-3.0.1-1.module+el8+1798+3a61da1c.noarch.rpm
    MD5: cf880773e79689047bbeeee4aec656fa
    SHA-256: 6b6f6a8ca56ab2199627f46ff97198824c79008332bc2bda5c67a47239ca2f11
    Size: 281.66 kB
  7. nodejs-packaging-2021.06-4.module+el8+1798+3a61da1c.noarch.rpm
    MD5: c45190380fc599e372d0ba515a93c51f
    SHA-256: f7c1a5fd8d13c6347c5db740fc30d6592b955e13d566c7e335069dffb1fb9ee6
    Size: 24.14 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el8+1798+3a61da1c.noarch.rpm
    MD5: c3e51d454dda8dacc4396122cf03f38a
    SHA-256: 4929961c7fd25272dbdec138ebdab6bd8b39f3e893913099e577cf8d74e841fa
    Size: 13.76 kB
  9. npm-10.8.1-1.20.16.0.1.module+el8+1798+3a61da1c.x86_64.rpm
    MD5: 3cc70d8ec3091f408da3602580819317
    SHA-256: d630a180143930325b8bcd9449db395ff09e936511e40a4537cbf46ebbdb3616
    Size: 2.02 MB