rh-nodejs12-nodejs-nodemon-2.0.3-2.el7, rh-nodejs12-nodejs-12.22.2-1.el7

エラータID: AXSA:2021-2259:02

リリース日: 
2021/07/29 Thursday - 10:51
題名: 
rh-nodejs12-nodejs-nodemon-2.0.3-2.el7, rh-nodejs12-nodejs-12.22.2-1.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.22.2).

Security Fix(es):

* nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362)
* nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290)
* normalize-url: ReDoS for data URLs (CVE-2021-33502)
* libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* ECDHE ciphers missing in rh-nodejs12

CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVE-2021-33502
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

解決策: 

Update packages.

CVE: 
CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVE-2021-33502
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-nodejs12-nodejs-nodemon-2.0.3-2.el7.src.rpm
    MD5: 179d050ed95dc5856ec814f6f7240d77
    SHA-256: 1f2444f995e998be88611f9dced1a38b3b18bb1e66d251a67cd48e4a096a844e
    Size: 1.14 MB
  2. rh-nodejs12-nodejs-12.22.2-1.el7.src.rpm
    MD5: 3c78dc5fb5626b1ee1f9c8157f23b0e8
    SHA-256: 33fdbd357e15a20082b15b8be2c17fcebc85d2262cb616a4cee30ecc53ca1608
    Size: 33.09 MB

Asianux Server 7 for x86_64
  1. rh-nodejs12-nodejs-nodemon-2.0.3-2.el7.noarch.rpm
    MD5: cc9cec435497307d006111d5f8a5db85
    SHA-256: 35c8e36110b7a5ccef37c32182be2b0cf301de737caae8056c207aec19422195
    Size: 817.36 kB
  2. rh-nodejs12-nodejs-12.22.2-1.el7.x86_64.rpm
    MD5: 898237e5779fc80cf96a382669d8063d
    SHA-256: 2fe12363a742b012e744a25e1030378d99d7921e5c430fa0992092129fa364f7
    Size: 10.18 MB
  3. rh-nodejs12-nodejs-devel-12.22.2-1.el7.x86_64.rpm
    MD5: 74010b87d8ac8ce690ae1c8abe82b7d4
    SHA-256: 49861a7bc84c7723b6a229f90fa0098f967eaeeb17864ac13afab12fe68a7c93
    Size: 206.64 kB
  4. rh-nodejs12-nodejs-docs-12.22.2-1.el7.noarch.rpm
    MD5: 26714bc6f29c650e712a98074d90eebc
    SHA-256: 578cec9187bfe340c32b9753aa44bd4e0ac5fc2f8bc6d6bfa5b9fd8a171a70a4
    Size: 4.12 MB
  5. rh-nodejs12-npm-6.14.13-12.22.2.1.el7.x86_64.rpm
    MD5: a935f584fbae39ed0291b837a34aed8b
    SHA-256: 0403874b3d647700f31525e4592616b559e1800ff34cd6a018809c073a939a9c
    Size: 4.00 MB