AXSA:2021-2387:02

リリース日: 
2021/08/26 Thursday - 16:56
題名: 
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7, rh-nodejs14-nodejs-14.17.5-1.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.17.5).

Security Fix(es):

* nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930)
* nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940)
* nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)
* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
* c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672)
* nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931)
* nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803)
* nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804)
* nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939)
* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-28469
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
CVE-2020-7788
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2021-22930
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-22931
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
CVE-2021-22939
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22940
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-23343
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVE-2021-32803
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
CVE-2021-32804
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
CVE-2021-3672
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm
    MD5: 0cacf45dc4855ce2314f13da1f5bb6ac
    SHA-256: 5c0e1f9c3c243c9279690e6f6cc074cbd140cf3b109d2c742b20ead706929a1a
    Size: 1.15 MB
  2. rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm
    MD5: fb03b7a00c13db6f43ee82f02a95501e
    SHA-256: cc8f25bd09dd7da654053fa49c73d0e4a36da7fc91dc69a2c851f70e34d9d621
    Size: 43.12 MB

Asianux Server 7 for x86_64
  1. rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm
    MD5: b5e202f9a4dd8f405d67123aed2500c1
    SHA-256: 0f372c0411ad0e19f3559b306418641d079be10633c9e5271627ea940b79bb45
    Size: 818.38 kB
  2. rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm
    MD5: 48ca606949eb77aee1fbaaf6015cbc94
    SHA-256: f066224077a69124737b2e13824ad129768f323630f1c600c3d3f73b49434602
    Size: 10.76 MB
  3. rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm
    MD5: 7ea2ee0438d369885b3ff9021abc4a27
    SHA-256: df1179f37cc6954557c245b98a9fd913c97292c4dd9a797b3160221bedeaaf7b
    Size: 233.32 kB
  4. rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm
    MD5: bbcf8653fb7f5c9feea5ace2267b578f
    SHA-256: 79f5df1803510898b13df38bb716535f23eb4b4cfa4bea844dbfd41912bf4721
    Size: 4.34 MB
  5. rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm
    MD5: 5371f9e2efefcebf314191bd808b6eca
    SHA-256: ccd7db78e332100c79c8d553db16c229913d89060955e946eff2de435079dfdf
    Size: 4.09 MB
Copyright© 2007-2015 Asianux. All rights reserved.