nodejs:10 security update
エラータID: AXSA:2021-1501:01
リリース日:
2021/02/18 Thursday - 13:14
題名:
nodejs:10 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- nodejs の npm CLI は "://[[:]@][:][:][/]" のような URL をサポートしており、
パスワードが編集されずに標準出力や生成されたログファイルに出力されてしまうため、
ログファイルを通じて情報開示してしまう脆弱性があります。(CVE-2020-15095)
- nodejs の ajv.validate() には、慎重かつ巧妙に細工された JSON スキーマが、
プロトタイプ汚染攻撃により他のコードを実行してしまう脆弱性があります。
(CVE-2020-15366)
- nodejs の yargs-parser には、"__proto__"ペイロードを使用して Object.prototype の
プロパティを追加/変更してしまえる脆弱性があります。(CVE-2020-7608)
- nodejsには、ユーザーの emailアドレスを検証する正規表現が、"@"文字で始まる
長い入力文字列を処理する際に指数関数的に時間が掛かる脆弱性があります。
(CVE-2020-7754)
- nodejs の y18n には、PoCで実証されているように、プロトタイプが
汚染される脆弱性があります。(CVE-2020-7774)
- nodejs には、攻撃者が悪意のある INI ファイルを ini.parse を使って解析する
アプリケーションに発行すると、アプリケーションのプロトタイプが汚染される
脆弱性があります。(CVE-2020-7788)
- nodejs の dot-prop npm パッケージには、プロトタイプ汚染の問題があり、
攻撃者が任意のプロパティーを JavaScript のコンストラクトに追加することのできる
脆弱性があります。(CVE-2020-8116)
- nodejs の libuv の realpath の実装には、バッファサイズの決定に誤りがあり、
展開されたパスが 256 バイト以上あると、バッファオーバーフローを引き起こす
可能性のある脆弱性があります。(CVE-2020-8252)
- nodejs には、TLS の実装で解放後使用の問題があり、サービス拒否や
他の不正利用に繋がるメモリ内のデータ破壊を引き起こす脆弱性があります。
(CVE-2020-8265)
- nodejs には HTTP リクエストの ヘッダーフィールドの取り扱いに問題があり、
HTTP リクエストスマグリング攻撃を受ける脆弱性があります。(CVE-2020-8287)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2020-15095
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "
CVE-2020-15366
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
CVE-2020-7608
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.
CVE-2020-7754
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVE-2020-7774
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true
CVE-2020-7788
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2020-8116
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
CVE-2020-8252
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
CVE-2020-8265
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
CVE-2020-8287
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-1.18.3-1.module+el8+1186+790d17e4.src.rpm
MD5: d6568b0b137e45064c8a877fe5fcf00a
SHA-256: dc18f034a5924b257d6b7f823a8baeb4bb9fcfabd5ef694d12461e7c10fa37fe
Size: 1.35 MB - nodejs-packaging-17-3.module+el8+1186+790d17e4.src.rpm
MD5: a03713f3e49a3d12795118e8ebf24909
SHA-256: cdfc600f0f79a403d8754b80e75b647d2d6f6dfbd25174d50ebd274972ed90ff
Size: 20.66 kB - nodejs-10.23.1-1.module+el8+1186+790d17e4.src.rpm
MD5: 93e8a67e70ae51aa448fbcc83e37e6c6
SHA-256: f6d6f0e7cbfacca609a2476c64d9664a3a3e34711cccfe97f690ebfb470c800c
Size: 50.13 MB
Asianux Server 8 for x86_64
- nodejs-nodemon-1.18.3-1.module+el8+1186+790d17e4.noarch.rpm
MD5: ff37deb1f085b9d0338a0e45a4eecc72
SHA-256: 7913bf93ccaa7bf78596f9a7aaeb79e392c2fa7c62125b36209afb06bb86c3fa
Size: 963.33 kB - nodejs-packaging-17-3.module+el8+1186+790d17e4.noarch.rpm
MD5: ac3b85e56b6df4d096a532c5ff4448a7
SHA-256: d7fb256b70ff47ebffff74dba1ab9b41fcbc05f4fb97588e4cd2e3d5442e1f3f
Size: 18.43 kB - nodejs-10.23.1-1.module+el8+1186+790d17e4.x86_64.rpm
MD5: 59494772f5b07251aabcf259d598f331
SHA-256: 24d5381a39ee6de2ddf7fdac0eb2198ad2463453762c0121fcae1c435c5e3241
Size: 8.85 MB - nodejs-debugsource-10.23.1-1.module+el8+1186+790d17e4.x86_64.rpm
MD5: 6d834b3cfee54de1483d128337a278af
SHA-256: fe71d76cbaecbd833abab8f8de30723016e6e3c27f2b59a16f143a92a079d1a4
Size: 9.70 MB - nodejs-devel-10.23.1-1.module+el8+1186+790d17e4.x86_64.rpm
MD5: 5f58887a8f3d8c9b4c5bfaeda07592ec
SHA-256: 15f3b5af4cb7e978774898b2a1a4b33ad2f08daf5681ccbab1cd0146fd3a20b2
Size: 162.62 kB - nodejs-docs-10.23.1-1.module+el8+1186+790d17e4.noarch.rpm
MD5: fb3b9b272b6e762997902595c486fd34
SHA-256: 59ca06759f196a2fed64103b3fce0ccd90a6914edcae88f89915cda5efb1b59b
Size: 3.35 MB - nodejs-full-i18n-10.23.1-1.module+el8+1186+790d17e4.x86_64.rpm
MD5: 4f85603ec3d4955f4b4c13cd5151418e
SHA-256: 06f3a24bc667eb20bd9191155b7e44da116f7b29280755543dec3dcdf62de195
Size: 7.29 MB - npm-6.14.10-1.10.23.1.1.module+el8+1186+790d17e4.x86_64.rpm
MD5: 36f6cab104e3b0b946081543527d5b0c
SHA-256: dbdb7c5937bbec4ba70f56cae08c7f66c3cb2de684121ddf78744393b8e56e24
Size: 3.67 MB
English