nodejs:14 security, bug fix, and enhancement update
エラータID: AXSA:2021-2343:01
リリース日:
2021/08/12 Thursday - 03:10
題名:
nodejs:14 security, bug fix, and enhancement update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- libuv の uv__idna_toascii() には、文字列を ASCII に変換する際にポインターの
バッファーの終端かどうかを確認せずに読み込んでしまう境界外読み込みの問題があり、
これにより情報の漏洩やクラッシュが発生する脆弱性があります。(CVE-2021-22918)
- hosted-git-info パッケージには、index.js の fromUrl 関数内の変数
shoutcutMatch に設定されている正規表現 によって、正規表現によるサービス拒否
(ReDoS) 状態に陥る脆弱性があります。(CVE-2021-23362)
- ssri には strict オプションを使用して SRI を 正規表現で処理する際に問題があ
り、悪意のある SRI を与えることによって処理に非常に長い時間が掛かり、サービス
拒否状態に陥る脆弱性があります。(CVE-2021-27290)
Modularity name: nodejs
Stream name: 14
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-22918
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
CVE-2021-23362
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-27290
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-2.0.3-1.module+el8+1286+5afcba67.src.rpm
MD5: 2bf6b3ab4397f92b328bdea7465f7181
SHA-256: 9fbf8ff0f63cb79917612acd942e979e3aa9f2589bc603e512477881aa5e7e8f
Size: 1.15 MB - nodejs-packaging-23-3.module+el8+1286+5afcba67.src.rpm
MD5: 08208c7394a30fe85e05044aed068db4
SHA-256: 440e866bb1df4c8470249922a66307b0d8d358ce3bd034d6fbd5304fe3341164
Size: 26.56 kB - nodejs-14.17.3-2.module+el8+1286+5afcba67.src.rpm
MD5: 3d36d8c7f66fd79f8709343645cc41a2
SHA-256: f8940ae0a0a079f2165061d5eb7f9d5c75daeb445ff3dab58671e93b6d081f76
Size: 66.13 MB
Asianux Server 8 for x86_64
- nodejs-nodemon-2.0.3-1.module+el8+1286+5afcba67.noarch.rpm
MD5: 8f49a46f73795c3ec7a64668029bd5a4
SHA-256: f829a9baa8bfc144c236e6fbeabd786c540af85330de0e1039693227615bc6d7
Size: 807.00 kB - nodejs-packaging-23-3.module+el8+1286+5afcba67.noarch.rpm
MD5: a91b63fa369a0fc8715342d2a59597c9
SHA-256: c98c555a46fa9bb814790246292c10fddd68b58fc9d6e0b35e19c880a7aac961
Size: 23.00 kB - nodejs-14.17.3-2.module+el8+1286+5afcba67.x86_64.rpm
MD5: 4b4952737d7d59d3a2dcc1455eef4cfa
SHA-256: 1f510a9377d670bf35a5bd804dd6eaae971c51c60ddb8b302595df95f1abb5cd
Size: 10.74 MB - nodejs-debugsource-14.17.3-2.module+el8+1286+5afcba67.x86_64.rpm
MD5: fabb9ff483a2861ede7550c2926587f8
SHA-256: 97e4c6bd92558b4777a5820b45e967014915caf298319383fc77affbe7ac9e1f
Size: 10.93 MB - nodejs-devel-14.17.3-2.module+el8+1286+5afcba67.x86_64.rpm
MD5: 4f07360425c3f38c0cb4b754665cb388
SHA-256: 4b42a3d4145667777d1e0054f361084f7b66fc9d84f1cda38b00e6fda8ee6151
Size: 200.93 kB - nodejs-docs-14.17.3-2.module+el8+1286+5afcba67.noarch.rpm
MD5: 85340be43e38546fb83ab4e0090d7bbb
SHA-256: 90009ab015789c544cbc2a5abeaae87b69c38be893e276ab54ec831241369228
Size: 8.14 MB - nodejs-full-i18n-14.17.3-2.module+el8+1286+5afcba67.x86_64.rpm
MD5: 08d9cbf00168d0200b1bbb1f5e9ee608
SHA-256: 01a595c02bf15ae7fccf8626e24bebe98d8664298fbfeabbcfe0e67913b20a5b
Size: 7.61 MB - npm-6.14.13-1.14.17.3.2.module+el8+1286+5afcba67.x86_64.rpm
MD5: 83888d7a1905d154e77d2855291806aa
SHA-256: 667d058d711cfade71809a7cdc02e5d341976e9de367293802ff97f0190fcddf
Size: 3.67 MB