nodejs:18 security update
エラータID: AXSA:2023-6083:01
リリース日:
2023/06/20 Tuesday - 08:06
題名:
nodejs:18 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- c-ares には、CARES_RANDOM_FILE ビルドオプションを設定して
いないことに起因して rand() 関数が使用されてしまう問題があるため、
リモートの攻撃者により、内部で利用されている乱数の予測を可能と
する脆弱性が存在します。(CVE-2023-31124)
- c-ares の ares_inet_net_pton() 関数には、バッファアンダーフロー
の問題があるため、ローカルの攻撃者により、"0::00:00:00/2" などの
特定の IPv6 アドレスの入力を介して、クラッシュの発生とこれに起因
するサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-31130)
- c-ares には、/dev/urandom デバイスファイルもしくは RtlGenRandom()
関数が利用できない場合、rand() 関数を用いて生成した予測可能な乱数
を DNS クエリ ID の生成に使用してしまう問題があるため、リモートの
攻撃者により、DNS 応答の偽装を可能とする脆弱性が存在します。
(CVE-2023-31147)
- c-ares には、誤ってソケットをシャットダウンしてしまう問題が
あるため、リモートの攻撃者により、データ長が 0 バイトとなるように
細工された応答パケットを介して、サービス拒否攻撃を可能とする脆弱性
が存在します。(CVE-2023-32067)
Modularity name: nodejs
Stream name: 18
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-31124
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
CVE-2023-31130
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
CVE-2023-31147
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
CVE-2023-32067
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-2.0.20-2.module+el9+1013+246c6553.src.rpm
MD5: 2e12b29fdd26f6cfbfd5798fb89de97d
SHA-256: b1fe3a755f87c66ba4c14fcb6bc7240a65a9b0d304656fd117df61b4838bea8a
Size: 341.80 kB - nodejs-packaging-2021.06-4.module+el9+1013+246c6553.src.rpm
MD5: e3599b3a0837c7c6f3e6241eccfdb934
SHA-256: b515a692bae858794ff74ec3d1a93397220e45a8d3c1b4612ef6fd72c9c0d463
Size: 26.54 kB - nodejs-18.14.2-3.module+el9+1013+246c6553.src.rpm
MD5: a8571727d3a87887e18933d008b91857
SHA-256: 4971767c74d2cad16079d4e34be35a64510009180805a7b8d8cc6b7c57c3b2d6
Size: 175.46 MB
Asianux Server 9 for x86_64
- nodejs-18.14.2-3.module+el9+1013+246c6553.x86_64.rpm
MD5: deefb5da7fa24d4d0aff3d3f05922de3
SHA-256: 9441c699da10ffba29a5c67fad2a7c88a4ee0d4cbca335623e01f54f65f21f85
Size: 12.29 MB - nodejs-debugsource-18.14.2-3.module+el9+1013+246c6553.x86_64.rpm
MD5: b55f7216f885776784f3f3055b5d5006
SHA-256: 29e3101b1c8f2453aa03bd9a2d8958b8f6348fd6425896b849b4d82e7bc8bee4
Size: 11.26 MB - nodejs-devel-18.14.2-3.module+el9+1013+246c6553.x86_64.rpm
MD5: 41d2cdc2cec4ff02b08d83ea9b9f6081
SHA-256: f414e7ef3ae1bf28d0707e57d03530045c176eaf5b2d2731a286c06248bf6884
Size: 183.14 kB - nodejs-docs-18.14.2-3.module+el9+1013+246c6553.noarch.rpm
MD5: 7b16206257d78e83980aaa1f597e8eed
SHA-256: 9f596c2be380cfa6e58da8aa0290826250ee1af27b14802af9603e5cae0c6733
Size: 7.42 MB - nodejs-full-i18n-18.14.2-3.module+el9+1013+246c6553.x86_64.rpm
MD5: f15d53d4eaa84b61bb8ce7d4c8fe8b18
SHA-256: 5575e1db2e511c0cc4ef69a1fa52640871bd787e58e98641533cc20ff5f53db1
Size: 8.38 MB - nodejs-nodemon-2.0.20-2.module+el9+1013+246c6553.noarch.rpm
MD5: 95e3827ca808cb0ae6fc5aa226b8f309
SHA-256: 960f26441c6d4b6e13ec0ebaed154281fab4bc8d76a663c812f69afe9efacd69
Size: 260.74 kB - nodejs-packaging-2021.06-4.module+el9+1013+246c6553.noarch.rpm
MD5: a8ffcb2989c549c512beb6ddb58844a4
SHA-256: 49456dc4d83303c56186cf75e4a992b9cb3f3ca4f360dad089f1f44f56924d13
Size: 19.92 kB - nodejs-packaging-bundler-2021.06-4.module+el9+1013+246c6553.noarch.rpm
MD5: a6e2ec17d49682768e21e70a9d02ecee
SHA-256: 2fca9d2fc5a1886c6be8404bb9efb402ad165dd5ce6a807e0b425f52364ac574
Size: 9.76 kB - npm-9.5.0-1.18.14.2.3.module+el9+1013+246c6553.x86_64.rpm
MD5: 04af508cca7dad442b6c086df9ea8f35
SHA-256: 23e9576644b726f7298ed6f7c65f741c72e42f7ed6c7e2241d747a87ed595d29
Size: 1.96 MB
English