nodejs:16 security update

エラータID: AXSA:2023-6328:01

リリース日: 
2023/08/10 Thursday - 12:06
題名: 
nodejs:16 security update
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

以下項目について対処しました。

[Security Fix]
- Node.js の http モジュールの llhttp パーサーには、HTTP リクエスト
の区切りの解析処理において CRLF シーケンスを適切に処理しない問題
があるため、リモートの攻撃者により、細工された HTTP リクエストを
介して、HTTP リクエストスマグリング攻撃を可能とする脆弱性が存在
します。(CVE-2023-30589)

現時点では下記の CVE の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。

CVE-2023-30581
CVE-2023-30588
CVE-2023-30590

Modularity name: nodejs
Stream name: 16

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2023-30581
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30588
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
CVE-2023-30590
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. nodejs-nodemon-2.0.20-3.module+el8+1652+4ee522e3.src.rpm
    MD5: 65b36d5274bbdf2af25695846d6bc3f9
    SHA-256: 88020c6d6b05ded460ecff0b9341e71431dcda97f1c12e37925a6eb38b3179a0
    Size: 395.30 kB
  2. nodejs-packaging-25-1.module+el8+1652+4ee522e3.src.rpm
    MD5: 408731dc6dde426d172611eb6543be49
    SHA-256: 8a856d2fa6557adb2f6a48b2ba7af494bb5b77eb9eb13ed9839ae00a1524db9b
    Size: 26.80 kB
  3. nodejs-16.20.1-1.module+el8+1652+4ee522e3.src.rpm
    MD5: a56a581c34917fd9c3e4c541a8ba038c
    SHA-256: 34c5a66d69af2c854bb20e2495bad2dfc0de258f0871f993301278811c7f6f8a
    Size: 70.74 MB

Asianux Server 8 for x86_64
  1. nodejs-16.20.1-1.module+el8+1652+4ee522e3.x86_64.rpm
    MD5: c125a1744018742494d5c9fb3110ba19
    SHA-256: 50b3e66f95893ec972017b730cb6e4741e435d81cea18859a36caa05a1136671
    Size: 12.27 MB
  2. nodejs-debugsource-16.20.1-1.module+el8+1652+4ee522e3.x86_64.rpm
    MD5: 1e0e7c54d281d0f31269d88e7039504d
    SHA-256: 64153705840b5bf33de75d74031815fcc0c93a4ff3e984b94071c370163f4ea4
    Size: 13.04 MB
  3. nodejs-devel-16.20.1-1.module+el8+1652+4ee522e3.x86_64.rpm
    MD5: 64d040d6a1435f763a9649cd9eb7c104
    SHA-256: 84406c98bf16c085b207b740dda6363c8cfd9b49059b56486a82926c05a7795c
    Size: 192.28 kB
  4. nodejs-docs-16.20.1-1.module+el8+1652+4ee522e3.noarch.rpm
    MD5: 50ccca12c9c966ce2850d9f4739919c0
    SHA-256: dc01e3f010533c89f222591fb26b1f9547532ca3ccc9a88973a6aa22a7ae80d4
    Size: 9.35 MB
  5. nodejs-full-i18n-16.20.1-1.module+el8+1652+4ee522e3.x86_64.rpm
    MD5: b4e1fb8ce063fcad25f87b081162199d
    SHA-256: 36c3928ac035f9e6ee62847c3c4bd896e9e264c194b187de62dd43a7b0a700d4
    Size: 8.01 MB
  6. nodejs-nodemon-2.0.20-3.module+el8+1652+4ee522e3.noarch.rpm
    MD5: 1ae4782101f38c740dd02d3ebf85c902
    SHA-256: 915ee475864311e919180eb2bf8aeccfa412506bab0d4aaf7e7115e144542246
    Size: 272.63 kB
  7. nodejs-packaging-25-1.module+el8+1652+4ee522e3.noarch.rpm
    MD5: e7997a39657ea52e22c9e7d4e0b72648
    SHA-256: 7b1e2ad1eb8d42f3047a18f25eda47b01851d3d4d06ce70f324d01c36bd91f89
    Size: 23.19 kB
  8. npm-8.19.4-1.16.20.1.1.module+el8+1652+4ee522e3.x86_64.rpm
    MD5: 2392921161faf355360a0932d4e9cb1b
    SHA-256: 0e299d8342c9148a22208733280ec2a9577a230265a281c47496861dc18f5be1
    Size: 1.88 MB