rh-nodejs14-nodejs-nodemon-2.0.3-2.el7, rh-nodejs14-nodejs-14.17.2-1.el7

エラータID: AXSA:2021-2260:01

リリース日: 
2021/07/29 Thursday - 15:09
題名: 
rh-nodejs14-nodejs-nodemon-2.0.3-2.el7, rh-nodejs14-nodejs-14.17.2-1.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.17.2).

Security Fix(es):

* nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362)
* nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode (CVE-2021-27290)
* normalize-url: ReDoS for data URLs (CVE-2021-33502)
* libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* ECDHE ciphers missing in rh-nodejs14

CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVE-2021-33502
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

解決策: 

Update packages.

CVE: 
CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVE-2021-33502
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-nodejs14-nodejs-nodemon-2.0.3-2.el7.src.rpm
    MD5: 9b56abc0d04d7595bf0c5c2b95df7d4b
    SHA-256: 9920b588469c2875ca2d9526bf670e7ec25b2673d8001b987bf119f5d0d652b6
    Size: 1.14 MB
  2. rh-nodejs14-nodejs-14.17.2-1.el7.src.rpm
    MD5: 813931566e0576b46796ecd8190cec6f
    SHA-256: 00b7547cc018026db771b5b28a795c78b5bd17dcd0b029d5283dff0cf5ca5966
    Size: 43.11 MB

Asianux Server 7 for x86_64
  1. rh-nodejs14-nodejs-nodemon-2.0.3-2.el7.noarch.rpm
    MD5: 6ddd6c6510e329263925b7c47fe0d768
    SHA-256: 167c82ea3d19ef542ab55d5f882f1a2127d005a1c82cbc8213a008767fd13acf
    Size: 817.31 kB
  2. rh-nodejs14-nodejs-14.17.2-1.el7.x86_64.rpm
    MD5: f3b5def9ad11e3871cbda4f12bddef62
    SHA-256: 7722a375a80ce9f391b3f823d5d7993e86ea981bff1432fb5a9ddb26566509cd
    Size: 10.75 MB
  3. rh-nodejs14-nodejs-devel-14.17.2-1.el7.x86_64.rpm
    MD5: 76ec71253643a6bf43a94f143c509d17
    SHA-256: c542cf2195fcc0edbc8d16902c00b0645e70a441d395e08c431ef8fdb79c20a3
    Size: 232.85 kB
  4. rh-nodejs14-nodejs-docs-14.17.2-1.el7.noarch.rpm
    MD5: 14ac70a9ebb12547163e9ab5fa75f802
    SHA-256: beccbec06608d27eba55a02ca5391f01a4b303af15ee7de7032ad48f275d7a3b
    Size: 4.33 MB
  5. rh-nodejs14-npm-6.14.13-14.17.2.1.el7.x86_64.rpm
    MD5: 5b7d26ab3de262f96164a734443ea461
    SHA-256: a6be7988ea22197f7ddf93f9047e3b4dc992b5c8b7b2f8ec695b31ceeb24f627
    Size: 4.09 MB