nodejs-16.20.2-1.el9
エラータID: AXSA:2023-6490:04
リリース日:
2023/10/11 Wednesday - 08:44
題名:
nodejs-16.20.2-1.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js には、リモートの攻撃者により、Module._load() を
利用することを介して、ポリシー機構をバイパスし与えられた
モジュールの policy.json の定義外のモジュールの要求を可能
とする脆弱性が存在します。(CVE-2023-32002)
- Node.js には、リモートの攻撃者により、
module.constructor.createRequire() を利用することを介して、
ポリシー機構をバイパスし与えられたモジュールの policy.json
の定義外のモジュールの要求を可能とする脆弱性が存在します。
(CVE-2023-32006)
- Node.js の process.binding() 関数には、ポリシー機能が迂回
されてしまう問題があるため、リモートの攻撃者により、任意
のコードの実行を可能とする脆弱性が存在します。
(CVE-2023-32559)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-32002
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32006
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
CVE-2023-32559
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-16.20.2-1.el9.src.rpm
MD5: 310cb53b99ef35629ad94db869b0498d
SHA-256: 14ca9ebfc74443a3c480449607348589d77e4daa27966743daeb6e0e08ec53c9
Size: 70.71 MB
Asianux Server 9 for x86_64
- nodejs-16.20.2-1.el9.x86_64.rpm
MD5: 68b3245199c6827c12eb1ed603ba27ee
SHA-256: 20e13e87bb02c20ca4cef8c66922d326a347e3462c59b4cbe839c985f3a23064
Size: 111.14 kB - nodejs-docs-16.20.2-1.el9.noarch.rpm
MD5: c3aedd3e7ff0fd9e593c18ac927afc2a
SHA-256: 69e4070f07344dd412b5dcd9c08358c56422cc7e78e11aa06318f88b345891e2
Size: 7.05 MB - nodejs-full-i18n-16.20.2-1.el9.x86_64.rpm
MD5: b914ce31eaf5ff0e1d0ec092c60d863a
SHA-256: d14250009b3d262b980e441d5b74fe9ce43dabf042737b35cc921b84812ce325
Size: 8.21 MB - nodejs-libs-16.20.2-1.el9.i686.rpm
MD5: fa71774dc710ef870e4e8811c7441226
SHA-256: 2d7df74808a82a9d129e6947cd1f772e3fc498558e4c948e9c1e577eff78dc81
Size: 15.10 MB - nodejs-libs-16.20.2-1.el9.x86_64.rpm
MD5: 0c72a2d25202672d0dd693b8bbe0bec9
SHA-256: 248becdc4761191cbde74567884aa5f8f7567dd040ff5a86a43ad831b3214469
Size: 14.47 MB - npm-8.19.4-1.16.20.2.1.el9.x86_64.rpm
MD5: 7ac87c30e96050880ab97258e689acd4
SHA-256: cff8da323d1a8d4da07a3cf00f1ba121d47611f711c6926f190bbbfcdfcfbed4
Size: 1.73 MB