nodejs:18 security update
エラータID: AXSA:2024-7655:01
リリース日:
2024/04/04 Thursday - 16:44
題名:
nodejs:18 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js には、特定の機能を利用のうえ、対象のプロセスを特権に
昇格して実行する際、本来評価すべき特権を持たない利用者によって
設定された環境変数を無視してしまう問題があるため、ローカルの
攻撃者により、特権で実行できる任意のコードの挿入を可能とする
脆弱性が存在します。(CVE-2024-21892)
- Node.js の HTTP サーバー機能には、チャンク拡張データサイズを
制限する処理が欠落しており、単一のコネクションから制限なくデータ
を読み取ってしまう問題があるため、リモートの攻撃者により、巧妙に
細工された HTTP リクエストの送信を介して、サービス拒否攻撃 (CPU
リソースおよびネットワーク帯域の枯渇) を可能とする脆弱性が存在
します。(CVE-2024-22019)
現時点では下記の CVE の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
CVE-2023-46809
Modularity name: nodejs
Stream name: 18
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-46809
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-21892
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
CVE-2024-22019
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el9+1030+070c4b99.src.rpm
MD5: 9f0949ffea8dcff33132a59e9101dda7
SHA-256: 92aebdecd8f8d73cead646d3ee7c0aea9e8404fc10905d865420fae9f692124b
Size: 339.27 kB - nodejs-packaging-2021.06-4.module+el9+1030+070c4b99.src.rpm
MD5: 8008b8678a2ce0e913d9574bdea7f357
SHA-256: 4012994147c75bc52574c7175d7431d3e669f085dd709d25c294e89f730ab459
Size: 26.54 kB - nodejs-18.19.1-1.module+el9+1030+070c4b99.src.rpm
MD5: 97741fba2d587271ade5c7a4d852f009
SHA-256: 716d1ed81719f546437802a28e8a51404ccbd704efee6cdaf489177719c9dd6f
Size: 123.59 MB
Asianux Server 9 for x86_64
- nodejs-18.19.1-1.module+el9+1030+070c4b99.x86_64.rpm
MD5: 15358a8ea107c738e270534bc9530796
SHA-256: 135ca5a88c5468964a5a4e9db1636c15dbf38bae03e4bb5a2b3f87aeb13e3a0b
Size: 12.62 MB - nodejs-debugsource-18.19.1-1.module+el9+1030+070c4b99.x86_64.rpm
MD5: 6228ec3260a52384e13aebfd3d16cc28
SHA-256: fdc950db290e62accba8aa327cfb1c09e1998938f7755e370f4c93f01008d695
Size: 11.57 MB - nodejs-devel-18.19.1-1.module+el9+1030+070c4b99.x86_64.rpm
MD5: a28abb0711f69bd39e21a4f71e93f34d
SHA-256: 9a0a97da2de46d7160b64ae105ced8601f7eeafc5f072022afed3b6c41df9de2
Size: 183.29 kB - nodejs-docs-18.19.1-1.module+el9+1030+070c4b99.noarch.rpm
MD5: 468b0761bae2131fb00b732c4288fa4d
SHA-256: 0f7c5be666c3d295bde80d67dd9958e544545bfd31bb9dac02b851cb6d64daa7
Size: 7.75 MB - nodejs-full-i18n-18.19.1-1.module+el9+1030+070c4b99.x86_64.rpm
MD5: 5e5bb80e9135a26205e68024e743e394
SHA-256: e65014bde10cc71fd700ad7ada2a5d0778f87d62283ccd9ed5cf6ae7a3d9065e
Size: 8.52 MB - nodejs-nodemon-3.0.1-1.module+el9+1030+070c4b99.noarch.rpm
MD5: 223f0574350c59a1ac8dbd3c972cf7d6
SHA-256: 7812d226a03aae4aaba9e3d28ce8785656572dea1fccfe169edf3a92bda8e9f3
Size: 268.41 kB - nodejs-packaging-2021.06-4.module+el9+1030+070c4b99.noarch.rpm
MD5: 57f8c6b79d8385ea23a47967cd27fb45
SHA-256: 7e31f68aa497147618071d92a4777b04a47aa4ee5b3651cfbbeab665b385d29b
Size: 19.92 kB - nodejs-packaging-bundler-2021.06-4.module+el9+1030+070c4b99.noarch.rpm
MD5: 9e878fc039e633cec463c6cc63b4cb68
SHA-256: 18eb075c5b9b9663cf76512a89179d9b8ebd303a56ff915686bfac486253b5c2
Size: 9.76 kB - npm-10.2.4-1.18.19.1.1.module+el9+1030+070c4b99.x86_64.rpm
MD5: 61edd99dd4febdb05d4033afc9bd0e3d
SHA-256: 8f7757451aaf35c9bd7179004462478c6e54611cec8b075818d7cd5f77ce1401
Size: 1.94 MB