AXSA:2021-2386:03

リリース日: 
2021/08/26 Thursday - 15:54
題名: 
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7, rh-nodejs12-nodejs-12.22.5-1.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.22.5).

Security Fix(es):

* nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930)
* nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940)
* nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)
* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
* c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672)
* nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931)
* nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803)
* nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804)
* nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939)
* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-28469
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
CVE-2020-7788
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2021-22930
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-22931
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
CVE-2021-22939
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22940
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-23343
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVE-2021-32803
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
CVE-2021-32804
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
CVE-2021-3672
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.src.rpm
    MD5: 5c639c01bf2970a77cf5dfe039cd2cca
    SHA-256: 6303710f7bdcfd5bd8c54d0a32847726b8aa8fee32ea006a47a32624f287849d
    Size: 1.15 MB
  2. rh-nodejs12-nodejs-12.22.5-1.el7.src.rpm
    MD5: 265390714bf31ee2e65c2efcb743801d
    SHA-256: 94831d6fe0459ced18857bd025f5bda411fee07b9a8e14cd86f1e5c6f72f7d6f
    Size: 33.10 MB

Asianux Server 7 for x86_64
  1. rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.noarch.rpm
    MD5: 8a855644f7e92d1e3311f938110dedd7
    SHA-256: a531e32341c571ca6cd59449c2c0d65e53516c577e795bf0ab7dbbe238dc9672
    Size: 818.42 kB
  2. rh-nodejs12-nodejs-12.22.5-1.el7.x86_64.rpm
    MD5: 945f29bce7904bc6f13c67deba1026ad
    SHA-256: eecc12cf172a958e3098278fc71bbec02b25e131b83d7998a3e2194abdd258a6
    Size: 10.18 MB
  3. rh-nodejs12-nodejs-devel-12.22.5-1.el7.x86_64.rpm
    MD5: 6291422de82e6c416c863d19df25cdbb
    SHA-256: b630be91dab8e4a027186806adf29625bcaa0acc600272e9253a587c11609153
    Size: 207.10 kB
  4. rh-nodejs12-nodejs-docs-12.22.5-1.el7.noarch.rpm
    MD5: c81d22360f6a8c3e12712a5b09caf180
    SHA-256: 0313cb214ef74a05239d2ea24e470ff3691da03ef90de037084494af1bfd6440
    Size: 4.12 MB
  5. rh-nodejs12-npm-6.14.14-12.22.5.1.el7.x86_64.rpm
    MD5: 85ca795067a07ce8e7509b6cc6fb4099
    SHA-256: 75987dd19b644e7f976b8afa3de7d287f21e3c3f1bb249ca6262639d76583e87
    Size: 4.00 MB
Copyright© 2007-2015 Asianux. All rights reserved.