nodejs:16 security, bug fix, and enhancement update
エラータID: AXSA:2023-6464:01
リリース日:
2023/10/02 Monday - 05:53
題名:
nodejs:16 security, bug fix, and enhancement update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の sember パッケージには、CPU リソースを多く消費して
しまう問題があるため、リモートの攻撃者により、細工された正規表現の
入力を介して、正規表現によるサービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2022-25883)
- Node.js には、リモートの攻撃者により、Module._load() を利用する
ことを介して、ポリシー機構をバイパスし与えられたモジュールの
policy.json の定義外のモジュールの要求を可能とする脆弱性が存在します。
(CVE-2023-32002)
- Node.js には、リモートの攻撃者により、
module.constructor.createRequire() を利用することを介して、ポリシー機構
をバイパスし与えられたモジュールの policy.json の定義外のモジュールの
要求を可能とする脆弱性が存在します。(CVE-2023-32006)
- Node.js の process.binding() 関数には、ポリシー機能が迂回されて
しまう問題があるため、リモートの攻撃者により、任意のコードの実行を
可能とする脆弱性が存在します。(CVE-2023-32559)
Modularity name: nodejs
Stream name: 16
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-25883
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
CVE-2023-32002
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32006
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32559
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1662+5350972c.src.rpm
MD5: 2d9af109363ddeb6d8eb770a126ac38f
SHA-256: 70c4aa66873ef916d4267fa215e91db58b83eca2f3de1fe78c3b1d1b96946579
Size: 340.68 kB - nodejs-packaging-26-1.module+el8+1662+5350972c.src.rpm
MD5: 4eb879cc9a9d80013d82dbae655f8bf6
SHA-256: ce41fee093b06e532451a89a05b909a5cd4459afbc3538f8f0fe340851adcc16
Size: 29.28 kB - nodejs-16.20.2-2.module+el8+1662+5350972c.src.rpm
MD5: 588f1bb3de6cd729535f97287445f017
SHA-256: 10b4096c257488d80b6a43b8f3f266e82badf8e273b49fd0fe0f8d22762d166d
Size: 71.53 MB
Asianux Server 8 for x86_64
- nodejs-16.20.2-2.module+el8+1662+5350972c.x86_64.rpm
MD5: 630436258fc80e3edcaa09e57ddc2dcf
SHA-256: 588fd877b19738e6879d229ebcd8ede27b7f46e9b66d1c92d7cbf33d0e04ea41
Size: 12.27 MB - nodejs-debugsource-16.20.2-2.module+el8+1662+5350972c.x86_64.rpm
MD5: dbc344b0e491118ca2c3086edbdac284
SHA-256: 1047e790c56f2b078b5a246ac57126c98204814bfc23e25fd426658de99821ac
Size: 13.05 MB - nodejs-devel-16.20.2-2.module+el8+1662+5350972c.x86_64.rpm
MD5: a1eb87b32c89ec5b60932d1b340215b0
SHA-256: a8cf65b2da7a3e15381ca38758cf88a0b6d2566e7e52568be5943272226eed18
Size: 192.58 kB - nodejs-docs-16.20.2-2.module+el8+1662+5350972c.noarch.rpm
MD5: 826868f955ef502cb250aef1d5bdb79e
SHA-256: 594d6295a69ba077c748e56034e74881025ef172945e9f4f28fe789ec59c06dd
Size: 9.35 MB - nodejs-full-i18n-16.20.2-2.module+el8+1662+5350972c.x86_64.rpm
MD5: 3801e6bc0716e2a64b2974b22cac7323
SHA-256: ddc65ca94c8530ae842c937fe0b5dde29e41427c1560cc614c41d9b23ced21bc
Size: 8.01 MB - nodejs-nodemon-3.0.1-1.module+el8+1662+5350972c.noarch.rpm
MD5: f0a74bff74df2ac29feab957fe6fc8df
SHA-256: 6f11c7f04e6866e6f8720a11902817388b9bf1ca11cb0b284fc8707b819fc8c3
Size: 282.09 kB - nodejs-packaging-26-1.module+el8+1662+5350972c.noarch.rpm
MD5: c1ce3b277d1bfe209f591ac154b11743
SHA-256: 42ba41676d24fcf0a147a80adf9f8658e290a51319cd7c116c06fa646b1d898c
Size: 23.37 kB - npm-8.19.4-1.16.20.2.2.module+el8+1662+5350972c.x86_64.rpm
MD5: 4b02a50d9e3387dd6d30d66f80731967
SHA-256: 970fcf7d85675c6f8b2f85f601adb8b2c962c8294e54c98610dcf077a698f471
Size: 1.88 MB
English