nodejs:18 security, bug fix, and enhancement update
エラータID: AXSA:2023-6339:01
リリース日:
2023/08/16 Wednesday - 08:19
題名:
nodejs:18 security, bug fix, and enhancement update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の http モジュールの llhttp パーサーには、HTTP リクエスト
の区切りの解析処理において CRLF シーケンスを適切に処理しない問題
があるため、リモートの攻撃者により、細工された HTTP リクエストを
介して、HTTP リクエストスマグリング攻撃を可能とする脆弱性が存在
します。(CVE-2023-30589)
現時点では下記の CVE の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
CVE-2023-30581
CVE-2023-30588
CVE-2023-30590
Modularity name: nodejs
Stream name: 18
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-30581
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30588
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
CVE-2023-30590
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-2.0.20-2.module+el8+1657+e8eed1e5.src.rpm
MD5: ef1c3aded88407e88a63c6a4c1bbf175
SHA-256: a9523fa7468549e3a9e54f339d0946467d71bfc215e2040ad099d418d91be3cc
Size: 342.26 kB - nodejs-packaging-2021.06-4.module+el8+1657+e8eed1e5.src.rpm
MD5: 83d3fe33bfcd862e0a2b96b009bf625c
SHA-256: 00e039709ffe168da3eaeb12d388d4d5141dd3c2684a8148735d43da9dfe09d5
Size: 30.29 kB - nodejs-18.16.1-1.module+el8+1657+e8eed1e5.src.rpm
MD5: 664d60b2c4dbb8069e984b2792d4fbda
SHA-256: bcdeb62b66d0eb4d39f736eb9995e5e8c813fe9f6f89ceb6d81a7ec538a4c558
Size: 79.01 MB
Asianux Server 8 for x86_64
- nodejs-18.16.1-1.module+el8+1657+e8eed1e5.x86_64.rpm
MD5: 1d93a347108ab4e0c1d0b1ff40479b37
SHA-256: 792b31317b0568dca87102dd44c6434d2ce509633dfa0c7fa68084fc3b2e1f83
Size: 13.31 MB - nodejs-debugsource-18.16.1-1.module+el8+1657+e8eed1e5.x86_64.rpm
MD5: ef5d2ad5337f8bbe31360497ddf34f42
SHA-256: 7c31685401fa3b321ef0b56688c5a5a64d92b250bbca0a79d240dbd78a937140
Size: 14.02 MB - nodejs-devel-18.16.1-1.module+el8+1657+e8eed1e5.x86_64.rpm
MD5: c5decc59e70dcee8e3010f368dca27c9
SHA-256: cd6b1b4edfad272cf68aec60844cec8118db43063e596b00f1e04f39b5c95af5
Size: 206.46 kB - nodejs-docs-18.16.1-1.module+el8+1657+e8eed1e5.noarch.rpm
MD5: b70c3c0fce3f2ac1d7b383f9a3441b01
SHA-256: ba2e947b85d264b23d51cb14e2340185609cf511b1621d12482107370be8051c
Size: 9.88 MB - nodejs-full-i18n-18.16.1-1.module+el8+1657+e8eed1e5.x86_64.rpm
MD5: b0f15750c2825b1c4ff6efc0120461f5
SHA-256: 1ede93d10d3d6e4d39aa157e143c066608ef40eb8f1cfc6c495b856578b336a4
Size: 8.18 MB - nodejs-nodemon-2.0.20-2.module+el8+1657+e8eed1e5.noarch.rpm
MD5: 334ca99461084db215f68bde0f5896e1
SHA-256: 32fa6ee0380b90d00a1f59b98ab8f8dbec42d990a158a2c7a297120eb472aa23
Size: 274.23 kB - nodejs-packaging-2021.06-4.module+el8+1657+e8eed1e5.noarch.rpm
MD5: cf9f387c9e06297c49cc96d52db4e181
SHA-256: 73c3f8498243d7a0a34d78348871ea258000c6e1b6972c67c2e43707c4695a2a
Size: 24.14 kB - nodejs-packaging-bundler-2021.06-4.module+el8+1657+e8eed1e5.noarch.rpm
MD5: 6baa62d2a60aeefa6df38ab82c6030d5
SHA-256: 602b1923d897f6d0481dbb0c9a73b551e4f1026ae65f94cdde1d0d1a66bc6efd
Size: 13.76 kB - npm-9.5.1-1.18.16.1.1.module+el8+1657+e8eed1e5.x86_64.rpm
MD5: 766d2adbae53511b88b5cd0573a44345
SHA-256: 07816c98c556fce8a1d906ca21d0573c3e9b048881fe231a09d180b9f9240061
Size: 2.20 MB