nodejs:18 security, bug fix, and enhancement update
エラータID: AXSA:2023-6463:01
リリース日:
2023/09/29 Friday - 11:50
題名:
nodejs:18 security, bug fix, and enhancement update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の sember パッケージには、CPU リソースを多く消費して
しまう問題があるため、リモートの攻撃者により、細工された正規表現の
入力を介して、正規表現によるサービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2022-25883)
- Node.js には、リモートの攻撃者により、Module._load() を利用する
ことを介して、ポリシー機構をバイパスし与えられたモジュールの
policy.json の定義外のモジュールの要求を可能とする脆弱性が存在します。
(CVE-2023-32002)
- Node.js には、リモートの攻撃者により、
module.constructor.createRequire() を利用することを介して、ポリシー機構
をバイパスし与えられたモジュールの policy.json の定義外のモジュールの
要求を可能とする脆弱性が存在します。(CVE-2023-32006)
- Node.js の process.binding() 関数には、ポリシー機能が迂回されて
しまう問題があるため、リモートの攻撃者により、任意のコードの実行を
可能とする脆弱性が存在します。(CVE-2023-32559)
Modularity name: nodejs
Stream name: 18
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-25883
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
CVE-2023-32002
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32006
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32559
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el9+1017+47e88fad.src.rpm
MD5: e5abc5b9b062ee06da43a1e12d6f9008
SHA-256: da5de9e22b107abc4d539a9b8202032cb20348678061ba23719157298b169d04
Size: 339.27 kB - nodejs-packaging-2021.06-4.module+el9+1017+47e88fad.src.rpm
MD5: cb339affdcae4ac4dae7aabda3e0b778
SHA-256: 80e06a7cabcb23cb2434da8008c9d8821a3c0e1ef8dbe0d798265bf946932747
Size: 26.54 kB - nodejs-18.17.1-1.module+el9+1017+47e88fad.src.rpm
MD5: 1e58a6e3f36cd1dab689d770fdc5dcd2
SHA-256: c13e785e9e97d8a8f982afd97f1fca5125fab5f669e3d05b0f64eec4f421020b
Size: 123.66 MB
Asianux Server 9 for x86_64
- nodejs-18.17.1-1.module+el9+1017+47e88fad.x86_64.rpm
MD5: 22876d51cfc26d69b8cb70149051c6c2
SHA-256: 2c8dd86b722b2e592dbfacb04a6928f48fe3f38c64884a14de38949820ada62b
Size: 12.57 MB - nodejs-debugsource-18.17.1-1.module+el9+1017+47e88fad.x86_64.rpm
MD5: 9755ed0cdae7b31dfd0e4afb57caf082
SHA-256: 9b3535f866a266d6a474348db1945178b7ca7e45bec6c48db6b1f7aa1b79ee38
Size: 11.63 MB - nodejs-devel-18.17.1-1.module+el9+1017+47e88fad.x86_64.rpm
MD5: 0d59ae9b3f41452568369f6522eecf51
SHA-256: c1183c227dec383b7319f0db0737994bd7a5e8b332722c4261849f44530a8d44
Size: 183.48 kB - nodejs-docs-18.17.1-1.module+el9+1017+47e88fad.noarch.rpm
MD5: 08e97cdf756ece87e666065a2329f91b
SHA-256: 8fd106cca067578740a5d548de8314b15ff46979ff210aea14fa317b49ae9a23
Size: 7.59 MB - nodejs-full-i18n-18.17.1-1.module+el9+1017+47e88fad.x86_64.rpm
MD5: 8c25d1a9cbdefae40f3ff3b6393a9303
SHA-256: dd820408f5f96dd4c3f44a29affb4439e0943a3eacefb9ef56d5776a66b35f65
Size: 8.51 MB - nodejs-nodemon-3.0.1-1.module+el9+1017+47e88fad.noarch.rpm
MD5: 9464c56b231d70fca102f409cfdb8a76
SHA-256: 6daf194681468677e8959e0bef496a8621162b559dcaa42fe3d5cd66454b8fe6
Size: 268.42 kB - nodejs-packaging-2021.06-4.module+el9+1017+47e88fad.noarch.rpm
MD5: 8fdc45dcaf187f73cfeecce8d3a960b6
SHA-256: aa1bd4cb0e7ca63308ef3090ecdbed9edb78c6e442714046d93ece21d8c5bf7c
Size: 19.91 kB - nodejs-packaging-bundler-2021.06-4.module+el9+1017+47e88fad.noarch.rpm
MD5: 374589c4c0676406d15d7fa534d65202
SHA-256: 56107b31a7d656e56260bdc909b3ab9b6e22947587a0a45201a0a76c3259f96d
Size: 9.76 kB - npm-9.6.7-1.18.17.1.1.module+el9+1017+47e88fad.x86_64.rpm
MD5: 6d83c1324993304a75643ed6cd845b5e
SHA-256: d34e9ce01a4916c07987dc85272a54d7cb9aeb89de303ad5672f15f787a8c897
Size: 2.02 MB
English