nodejs:18 security update
エラータID: AXSA:2023-6525:01
リリース日:
2023/10/20 Friday - 12:31
題名:
nodejs:18 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js のポリシー機能には、偽装されたチェックサムをポリシー機能
に引き渡せてしまう問題があるため、リモートの攻撃者により、細工
されたアプリケーションを介して、マニフェストとリソースの整合性
チェック処理の迂回を可能とする脆弱性が存在します。
(CVE-2023-38552)
- HTTP/2 プロトコルには、意図しないリソースの消費に至る問題がある
ため、リモートの攻撃者により、新規の多重ストリームのリクエストと
RST_STREAM フレームによるリクエストのキャンセルの送信を介して、
サービス拒否攻撃 (リソース枯渇) を可能とする脆弱性が存在します。
(CVE-2023-44487)
- Node.js の Undici には、オリジン間のリダイレクトの際に Cookie
ヘッダーのクリア処理が欠落していたため、リモートの攻撃者により、
Cookie ヘッダーの情報の漏洩を可能とする脆弱性が存在します。
(CVE-2023-45143)
現時点では下記の CVE の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
CVE-2023-39333
Modularity name: nodejs
Stream name: 18
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-38552
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
CVE-2023-39333
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-45143
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el9+1018+1b955d7b.src.rpm
MD5: 0cdf82433a39a21df1ea4824985f3150
SHA-256: 4761126e4f6c52a2c6e9a1f5c0be73586c38cb6d2a84e70f317c4d488e920baf
Size: 339.27 kB - nodejs-packaging-2021.06-4.module+el9+1018+1b955d7b.src.rpm
MD5: 1c127cf2808a29329ab9058cafcc1e8e
SHA-256: 7f2bcf6f40b38e8404f3e71f56558e44034d3f0f68e9a39eb1bba6b0d8fdad7b
Size: 26.54 kB - nodejs-18.18.2-2.module+el9+1018+1b955d7b.src.rpm
MD5: 6703450e079bd6b6cfcba8eebaf48eb4
SHA-256: fa705b6093fc91cafa778f1e3e4318eacef8aef31cb4c79d8d0683d4d3c1346e
Size: 122.96 MB
Asianux Server 9 for x86_64
- nodejs-18.18.2-2.module+el9+1018+1b955d7b.x86_64.rpm
MD5: e68f54437923016c09e14a5026488506
SHA-256: 9b3c32401b7cbfa42dbbd5e7635997232e1e946566d910bf2ee825776a2515b8
Size: 12.56 MB - nodejs-debugsource-18.18.2-2.module+el9+1018+1b955d7b.x86_64.rpm
MD5: ef6ac00b8babb944ddf83c8f4c04c7c0
SHA-256: 8606d385117c035065072ea4b650b84b10c8b94bb5d84880ff83f0112e6d0bd9
Size: 11.67 MB - nodejs-devel-18.18.2-2.module+el9+1018+1b955d7b.x86_64.rpm
MD5: a0d05ae5e636cbc01d05e9dc2d6c08f3
SHA-256: cd24c66d02ef704e6d5b483cf9a71348e3c6e21a43f2acd65b162801e371c45c
Size: 183.36 kB - nodejs-docs-18.18.2-2.module+el9+1018+1b955d7b.noarch.rpm
MD5: b06132737e70fdd317dc60f3895ba9ac
SHA-256: d8c14cf81a1bf108f8bb2eaaa545a45cbacf4476c63b8364183a5281cde4069d
Size: 7.62 MB - nodejs-full-i18n-18.18.2-2.module+el9+1018+1b955d7b.x86_64.rpm
MD5: d844117b71d0053778764ddeb58eedb1
SHA-256: fb39aa1725d9da74405b82a70d45c046bc2b67706df22100d63280807f90974d
Size: 8.52 MB - nodejs-nodemon-3.0.1-1.module+el9+1018+1b955d7b.noarch.rpm
MD5: fac3331f522e959638b143116a4b4982
SHA-256: 8b8d00cecec19a6134962689222e85c2228fe9e5f541c8ac918bd3c95cf2ce15
Size: 268.41 kB - nodejs-packaging-2021.06-4.module+el9+1018+1b955d7b.noarch.rpm
MD5: cb0d469841abc8acf2671099cfda87fc
SHA-256: b32def411e41b55d92b9deb9d5390237865761617c999ff5ebc3304aad32f932
Size: 19.91 kB - nodejs-packaging-bundler-2021.06-4.module+el9+1018+1b955d7b.noarch.rpm
MD5: 8304256ea40096f96ef5792a1519b9b7
SHA-256: fff66cc2e24fb9da0da9571d1de7faaaf0edad901ef06539a8eae02617ad9c4c
Size: 9.76 kB - npm-9.8.1-1.18.18.2.2.module+el9+1018+1b955d7b.x86_64.rpm
MD5: 8ae98db0c10cf2d7d3f7b0c515b1cf60
SHA-256: bb471149b1ecaee68fb55d0f64be3a1ec2834576f2ada974c8e7c8eaa2bd4c99
Size: 2.01 MB