nodejs:12 security and bug fix update
エラータID: AXSA:2020-792:01
リリース日:
2020/10/26 Monday - 06:36
題名:
nodejs:12 security and bug fix update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- nodejs12 の npm CLI は "://[[:]@][:][:][/]" のような
URL をサポートしており、パスワードが編集
されずに標準出力や生成されたログファイルに
出力されてしまうため、ログファイルを通じて
情報開示してしまう脆弱性があります。(CVE-2020-15095)
- Node.js の dot-prop npm パッケージには、
プロトタイプ汚染の問題があり、攻撃者が任意の
プロパティーを JavaScript のコンストラクトに
追加することのできる脆弱性があります。(CVE-2020-8116)
- Node.js には、 HTTP ヘッダ名の carrier-return
シンボルの処理中に、HTTP Desync 攻撃が可能な
問題があり、攻撃者が巧妙に細工されたペイロードを
予期しないユーザーに送付することで、基盤となる
システムのアーキテクチャに応じて、ユーザーの
セッションの乗っ取り、Cookie のポイズニング、
クリックジャッキングの実行などの複数の攻撃が
可能な脆弱性があります。(CVE-2020-8201)
- Node.js の libuv の realpath の実装には、
バッファサイズの決定に誤りがあり、 展開された
パスが 256 バイト以上あると、バッファオーバーフローを
引き起こす可能性のある脆弱性があります。(CVE-2020-8252)
- Node.js の node には、TLS セッションの再利用の
問題があり、ホストの証明書の検証をバイパスすることの
できる脆弱性があります。(CVE-2020-8172)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2020-15095
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "
CVE-2020-8116
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
CVE-2020-8201
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.
CVE-2020-8252
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
CVE-2020-8172
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
CVE-2020-8174
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
CVE-2020-7598
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.
CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-1.18.3-1.module+el8+132+1cd968c0.src.rpm
MD5: acbf257cc7e07af61ed904f98bac15b2
SHA-256: 7837a84681400a28f637121918e65d1470ed5de1750939844539dd4e0f0dfc36
Size: 1.35 MB - nodejs-packaging-17-3.module+el8+132+1cd968c0.src.rpm
MD5: 8fb55e6e1a0d13fdf8a92a84b7c1b566
SHA-256: 496e4ab95dafb1fb923c4abf1a09bd96ce78db185da48a8803f57ff4d517a9c0
Size: 20.66 kB - nodejs-12.18.4-2.module+el8+132+1cd968c0.src.rpm
MD5: 1d7aec04068c2ee422ed7bcbdcca8e25
SHA-256: a1022d73e03212f64eb8be93fee91ea686018c4a2a7e1a5c8f708c34e4ab063f
Size: 55.00 MB
Asianux Server 8 for x86_64
- nodejs-nodemon-1.18.3-1.module+el8+132+1cd968c0.noarch.rpm
MD5: 4de418d0e4684d3c44ea5a0d297dece1
SHA-256: 871c96c685bbf23a190e35b0b6f1abd886c871bd953fe7881bc2b8f3a57e743b
Size: 963.32 kB - nodejs-packaging-17-3.module+el8+132+1cd968c0.noarch.rpm
MD5: 5158b2f6c6bb9797a47a26b3ed406bd9
SHA-256: 88164ebf2746649304cab6b7793293045c4acffb829f688f762992ae9b3a7e1f
Size: 18.43 kB - nodejs-12.18.4-2.module+el8+132+1cd968c0.x86_64.rpm
MD5: 43ea09045d6c844f05b0dec5fe69a101
SHA-256: d64bd45a58efcb126da4b0d4b0af933db573d9ac1e50ad280942b9f9e22415ff
Size: 10.30 MB - nodejs-devel-12.18.4-2.module+el8+132+1cd968c0.x86_64.rpm
MD5: efffd9d3fb5cb2567be6625be03efa39
SHA-256: 967e45e968e93241824505df69f32135ff5224006a33dacaaf7c017a793a9887
Size: 172.18 kB - nodejs-docs-12.18.4-2.module+el8+132+1cd968c0.noarch.rpm
MD5: 1221bff22b2e595d33f53e51bbb9e643
SHA-256: b2f086cd6ac099d7f936c31101b0846f8ba1a5d26805a139a39d29df4ac8b837
Size: 3.99 MB - nodejs-full-i18n-12.18.4-2.module+el8+132+1cd968c0.x86_64.rpm
MD5: e60e4cd4b029d40fc3e20c3a9f215165
SHA-256: b081a1957f84615ea8414e166f9e1e77007c81990fac92b74822601d3b7298c2
Size: 7.49 MB - npm-6.14.6-1.12.18.4.2.module+el8+132+1cd968c0.x86_64.rpm
MD5: de533cfa0e1d96e1800003dc995fa8ed
SHA-256: fddd3d2dcb865689e83dc094d863560c24189c83619c93875206a5183976a735
Size: 3.83 MB
English