[security - medium] nodejs:20 security update

エラータID: AXSA:2025-9918:01

Release date: 
Friday, May 9, 2025 - 21:22
Subject: 
[security - medium] nodejs:20 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* c-ares: c-ares has a use-after-free in read_answers() (CVE-2025-31498)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-31498
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.

Modularity name: "nodejs"
Stream name: "20"

Solution: 

Update packages.

CVEs: 
CVE-2025-31498
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-3.0.1-1.module+el8+1868+cb0612ba.src.rpm
    MD5: de986f4886b7c89a8b085f7e7722319a
    SHA-256: 32e259057576c3eb66744bd9a4b6ac33bb2c2259647a76ae56f15dc879fefb24
    Size: 339.85 kB
  2. nodejs-packaging-2021.06-4.module+el8+1868+cb0612ba.src.rpm
    MD5: b9f033503aa46acb5ddd155cd67b4a5c
    SHA-256: 12dfc54ba2898972fceca55d34017c7307620571adbbf9108b7d6a245372e030
    Size: 30.29 kB
  3. nodejs-20.19.1-1.module+el8+1868+cb0612ba.src.rpm
    MD5: a73dedea2f0888bf130b533d1b0c74fb
    SHA-256: 1d74f5ba0dbcdfd224b1fe1831b7e86f03720ea81659e95ef181647f9abeb4de
    Size: 82.71 MB

Asianux Server 8 for x86_64
  1. nodejs-20.19.1-1.module+el8+1868+cb0612ba.x86_64.rpm
    MD5: 53b20b6762a2c0882f54fa9ba259e4b4
    SHA-256: eabaecef91c7f02a63af52e09239603af95d317ab42cbcbc05b464c9895d6ab2
    Size: 14.44 MB
  2. nodejs-debugsource-20.19.1-1.module+el8+1868+cb0612ba.x86_64.rpm
    MD5: f0d42e5877fdf8052280c6850616a71d
    SHA-256: 3dd319b1a011bb87889cb9cdd1b0b5e5c5100a80a1334bb6967844110353186e
    Size: 11.90 MB
  3. nodejs-devel-20.19.1-1.module+el8+1868+cb0612ba.x86_64.rpm
    MD5: edccf98416e64fa7f897ba9629d385f5
    SHA-256: 906abacabbe925c18dbb83b2e781a0afdf2044725e08b1a3810f2f421f203870
    Size: 262.91 kB
  4. nodejs-docs-20.19.1-1.module+el8+1868+cb0612ba.noarch.rpm
    MD5: 6a3dea7e9cdcd87d033aa4b60267c860
    SHA-256: 6e17338c2dc7afde8e934355b40d69ab2ac0a6b805833fa71cba9bc7cba104cf
    Size: 10.91 MB
  5. nodejs-full-i18n-20.19.1-1.module+el8+1868+cb0612ba.x86_64.rpm
    MD5: 3b8c05f3120dfa94f90fd3dbca7ac637
    SHA-256: 451e6facccce39614d0dd86dcbd6823ec696f9470999c925161c24100c8c74d8
    Size: 8.32 MB
  6. nodejs-nodemon-3.0.1-1.module+el8+1868+cb0612ba.noarch.rpm
    MD5: b56643e95478f82d2c9edf17204db3ff
    SHA-256: 4fd4de7af8d120bf86c12d13b172b4d44ca84b48e6be2213d257249c80bddad9
    Size: 281.66 kB
  7. nodejs-packaging-2021.06-4.module+el8+1868+cb0612ba.noarch.rpm
    MD5: 80e9e8b22ae042c0ac3a68e22f2c3a67
    SHA-256: b97bd2065d6f17b2e971ee04840c0058f3906d044804cae3a9bcc32fb684c7de
    Size: 24.14 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el8+1868+cb0612ba.noarch.rpm
    MD5: 9264b2689e888dd33ecc2d0972a30906
    SHA-256: 88f0064e47915caa4d3648c0cdfecd0de5c14120b4c323dbaf60aa712a78c5f7
    Size: 13.76 kB
  9. npm-10.8.2-1.20.19.1.1.module+el8+1868+cb0612ba.x86_64.rpm
    MD5: 9409c3e787b2ad4f1bcb3aba991e9d65
    SHA-256: 748bcb63b6160887e528b62fad64c81fca57fb9c0e7d6b3ad951cad0afc591f2
    Size: 2.02 MB