nodejs-16.20.1-1.el9
エラータID: AXSA:2023-6283:02
リリース日:
2023/08/03 Thursday - 04:02
題名:
nodejs-16.20.1-1.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の http モジュールの llhttp パーサーには、HTTP リクエスト
の区切りの解析処理において CRLF シーケンスを適切に処理しない問題が
あるため、リモートの攻撃者により、細工された HTTP リクエストを介して、
HTTP リクエストスマグリング攻撃を可能とする脆弱性が存在します。
(CVE-2023-30589)
現時点では下記の CVE の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
CVE-2023-30581
CVE-2023-30588
CVE-2023-30590
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-30581
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30588
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
CVE-2023-30590
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-16.20.1-1.el9.src.rpm
MD5: 289e65decb2f9950b66f4ca3e568f887
SHA-256: 6d503894ad993ee843286947470e921a10586f5330a5791cb7b169606695ac7e
Size: 70.73 MB
Asianux Server 9 for x86_64
- nodejs-16.20.1-1.el9.x86_64.rpm
MD5: 1d160272cb6553d422fb535d42283d1b
SHA-256: 18caa6cbcb9a53dc507af7b3e105dd7d8ef502f9469ab3a26967c84169f6f252
Size: 111.35 kB - nodejs-docs-16.20.1-1.el9.noarch.rpm
MD5: 450e7d740a8dfbc526b665f45623a872
SHA-256: d569af4ae65d2bc57b022726fcde3f2c1c38bb35f09c1de571ccf31807bbec29
Size: 7.05 MB - nodejs-full-i18n-16.20.1-1.el9.x86_64.rpm
MD5: 9e92e6952b8d31538049328497c54912
SHA-256: eb51a669e10d7b64e94f89e5d124cb40a2f5761b8b0941731ec14234978d9c34
Size: 8.21 MB - nodejs-libs-16.20.1-1.el9.i686.rpm
MD5: 25fd616d7843161736527dc79114d2a3
SHA-256: 1bd1663e3c895e7ea46e4083f38935577eca1816b8d48e9ca905227ef6cb9d70
Size: 15.10 MB - nodejs-libs-16.20.1-1.el9.x86_64.rpm
MD5: 24ca83e48470606fcb493eb06ab9bd51
SHA-256: 263380a229b1f1d30cc799500c30263d353989fa3efdae8cf27501716881b57a
Size: 14.47 MB - npm-8.19.4-1.16.20.1.1.el9.x86_64.rpm
MD5: 1973c55fcf346975eef43596c58c876b
SHA-256: a4c24676f1425003836f07d9f44247c98ebdb29d651b72cbb790e087b46bbfc1
Size: 1.73 MB
English