rh-nodejs12-nodejs-nodemon-2.0.3-1.el7, rh-nodejs12-nodejs-12.20.1-1.el7
エラータID: AXSA:2021-1451:01
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.20.1), rh-nodejs12-nodejs-nodemon (2.0.3).
Security Fix(es):
* nodejs-mixin-deep: prototype pollution in function mixin-deep (CVE-2019-10746)
* nodejs-set-value: prototype pollution in function set-value (CVE-2019-10747)
* nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)
* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)
* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)
* nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2019-10746
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
CVE-2019-10747
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
CVE-2020-7754
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVE-2020-7788
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2020-8265
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
CVE-2020-8287
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
Update packages.
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and _proto_ payloads.
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
N/A
SRPMS
- rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm
MD5: 7ca34e82ed565f1611959f3658b4ebc1
SHA-256: 509a42c259e58e81ca5547ea3929a57150aa96a165d42e6a021f65d17e13af98
Size: 1.14 MB - rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm
MD5: 1add1c8ad63a0e2b1e3180ece21807d6
SHA-256: 6eeaa71f563abb935dc5f5ba5bb7c750790dd1dc46c5a2e215e8c7d0614fb573
Size: 33.06 MB
Asianux Server 7 for x86_64
- rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm
MD5: c24c39c54dd66dbb25b5ffb58429189b
SHA-256: f4ef76caaeb706565d562976cf1639abc7a7389cb12d871359871e30ee0494e2
Size: 817.16 kB - rh-nodejs12-nodejs-12.20.1-1.el7.x86_64.rpm
MD5: f0bffaf2aa0b11226c544283aa7df11f
SHA-256: a5c00ea460e6d07f93a85f0d395db26e3d417aa340386974aa0f18ac0c50a36d
Size: 10.18 MB - rh-nodejs12-nodejs-devel-12.20.1-1.el7.x86_64.rpm
MD5: c74f747cd994f355902db39c69a3ea52
SHA-256: 080b32c581e2068265883c6b2dee72cb8cdfa87edd330f412872dd971ad6e8fd
Size: 206.41 kB - rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm
MD5: ad8a6db26df65c8f498477a6b6066272
SHA-256: d5ae99c9e6c360a1cb63095c25f815751e71933aa58f5f54c1247e775f5ba1d8
Size: 4.11 MB - rh-nodejs12-npm-6.14.10-12.20.1.1.el7.x86_64.rpm
MD5: 9c7d9b6ce167752bce68653518a5be3f
SHA-256: d02d884d21a6dfce48391291547c880c8d3de70a2d721eb9e7e9c14fb6b3d307
Size: 4.00 MB