nodejs:18 security, bug fix, and enhancement update
エラータID: AXSA:2023-6295:01
リリース日:
2023/08/04 Friday - 05:34
題名:
nodejs:18 security, bug fix, and enhancement update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の http モジュールの llhttp パーサーには、HTTP リクエスト
の区切りの解析処理において CRLF シーケンスを適切に処理しない問題
があるため、リモートの攻撃者により、細工された HTTP リクエストを
介して、HTTP リクエストスマグリング攻撃を可能とする脆弱性が存在
します。(CVE-2023-30589)
現時点では下記の CVE の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
CVE-2023-30581
CVE-2023-30588
CVE-2023-30590
Modularity name: nodejs
Stream name: 18
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-30581
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30588
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
CVE-2023-30590
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-2.0.20-2.module+el9+1015+11cf0e3c.src.rpm
MD5: 076ab04a5fc704e945cc04373849272b
SHA-256: cd2f2858b345d4bc088c1b2ad32eeebdc0363544ccead053f9a27cb54b24217b
Size: 341.80 kB - nodejs-packaging-2021.06-4.module+el9+1015+11cf0e3c.src.rpm
MD5: f36c8c93d1a337f58bdddb4ed9146dfc
SHA-256: 5b853a17bf8714367613ad3adcfe339e07bbc6d83d37e0d47616cfef0c54eb98
Size: 26.54 kB - nodejs-18.16.1-1.module+el9+1015+11cf0e3c.src.rpm
MD5: e141626bc1f4f6c549ef6252f110206d
SHA-256: 8371d77b26949252aeb4bf9f739565140149a44e981b6d3627a399579699bd71
Size: 176.54 MB
Asianux Server 9 for x86_64
- nodejs-18.16.1-1.module+el9+1015+11cf0e3c.x86_64.rpm
MD5: 1942956487672f8d452f324e6cb757c8
SHA-256: 87472345a215dd451d54f1de720f43223e69cf9286d4aa15a52306d7223b3f1c
Size: 12.28 MB - nodejs-debugsource-18.16.1-1.module+el9+1015+11cf0e3c.x86_64.rpm
MD5: 0b3f7bd967b321f18d796e5b7fc0b20b
SHA-256: 0b032a915e0552b956273e4937d9e3c6258effbbb18a004173af3103188bc5de
Size: 11.31 MB - nodejs-devel-18.16.1-1.module+el9+1015+11cf0e3c.x86_64.rpm
MD5: b58190e43a09dd369c2475ac473203d1
SHA-256: 9d27b35c3aa6956e07077528e73f6127e7c3f7b6f44d9b079524d5a097e55fd8
Size: 183.39 kB - nodejs-docs-18.16.1-1.module+el9+1015+11cf0e3c.noarch.rpm
MD5: d46c1503c0de0efbda99bebca2677cf7
SHA-256: c0a3376ab922f26146a4b6b7b8cd5585237064738d9a76ee3d9837379c9ae3c7
Size: 7.52 MB - nodejs-full-i18n-18.16.1-1.module+el9+1015+11cf0e3c.x86_64.rpm
MD5: 75a5cfe3b12a21acb9bb2b1f5add1415
SHA-256: 7813edb6788e82e42c2f749f837472784bd57eb31f921546cfc5368af761e0a8
Size: 8.38 MB - nodejs-nodemon-2.0.20-2.module+el9+1015+11cf0e3c.noarch.rpm
MD5: 76bbaf07425cb179d01b3e7e1bdfe034
SHA-256: 95b9d3ecb2458145e39daa0ca29374e332fc76030e0bbe90963b6aff943b6a9c
Size: 260.76 kB - nodejs-packaging-2021.06-4.module+el9+1015+11cf0e3c.noarch.rpm
MD5: eacf9ddf997e2f6b4af785e46084fa0a
SHA-256: 06a81eadf189c593fb087e89b8302be98ae0aa55d87c371e0586f9b9e345bb75
Size: 19.91 kB - nodejs-packaging-bundler-2021.06-4.module+el9+1015+11cf0e3c.noarch.rpm
MD5: 7d100d67a2ee440820103b223df4128d
SHA-256: 8bb27574387c12aa0a2b4a0bc13a728108d01fb3418fb8cabd940c8e84e4f1fb
Size: 9.76 kB - npm-9.5.1-1.18.16.1.1.module+el9+1015+11cf0e3c.x86_64.rpm
MD5: 56d2c26fb52ec6a6e9bf7b4bd140d06c
SHA-256: 207f9aa758f22cff0864f34343a871cd727a3f024006b7d519b80838b6db98e6
Size: 1.97 MB