nodejs:20 security update
エラータID: AXSA:2024-8726:01
リリース日:
2024/08/28 Wednesday - 14:44
題名:
nodejs:20 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の権限モデル機能には、--allow-fs-read オプション
が指定されている場合の処理に問題があるため、ローカルの
攻撃者により、fs.lstat() API 関数の利用を介して、アクセス
権限を持たないファイルからの統計情報の取得を可能とする
脆弱性が存在します。(CVE-2024-22018)
- Node.js のネットワークインポート機能には、ローカルの
攻撃者により、細工されたデータ URL のネットワーク
インポートを介して、任意のコードの実行を可能とする
脆弱性が存在します。(CVE-2024-22020)
現時点では下記の CVE の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
CVE-2024-36137
Modularity name: nodejs
Stream name: 20
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-22018
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-22020
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers.
CVE-2024-36137
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el9+1046+e6a569ad.src.rpm
MD5: d11ef1093d2bbc79e0eab488048b6329
SHA-256: 5d118971182ba44cade799855b687d17d8cca3a88a4511ded73b3d60b4e16a5e
Size: 339.27 kB - nodejs-packaging-2021.06-4.module+el9+1046+e6a569ad.src.rpm
MD5: 61751fb8abb931f2badc4b5696c2856f
SHA-256: 4100522306c71d40fd44852a59adbc6160f76ebfc9520d4f85f41942c4d81dab
Size: 26.54 kB - nodejs-20.16.0-1.module+el9+1046+e6a569ad.src.rpm
MD5: f14f87c38c390a74812f197b56a5fc22
SHA-256: 0341cf2760d82712b9b0f3d84ee7f7abf118685af1ce18390b4c2a99d2e5fa20
Size: 125.06 MB
Asianux Server 9 for x86_64
- nodejs-20.16.0-1.module+el9+1046+e6a569ad.x86_64.rpm
MD5: a504ce5a70c3f1a667147c86205c4f72
SHA-256: 380163ffdf5b841921bbc65faee132909055e17023485af07967394c5daa48cd
Size: 13.99 MB - nodejs-debugsource-20.16.0-1.module+el9+1046+e6a569ad.x86_64.rpm
MD5: 44c89814658a694c5aa12e0216305bd2
SHA-256: 62b4e6d60b330304af90d000ec47cab5dade46e5a2d43b3c577eca2ec6c74a8f
Size: 11.82 MB - nodejs-devel-20.16.0-1.module+el9+1046+e6a569ad.x86_64.rpm
MD5: c441704c46b44e3859b51c7af10424a3
SHA-256: 53f41ac3f23069f08bae8fc5b21349764fc3472fcfeb1bc5144887e6d5c0d04c
Size: 232.29 kB - nodejs-docs-20.16.0-1.module+el9+1046+e6a569ad.noarch.rpm
MD5: 92a25ea3b946d3f0092f212d8c518c78
SHA-256: 88daa302ff548f918f45352d8060d68b4845a27ebdee62bedfc8ebbb8d72164b
Size: 8.21 MB - nodejs-full-i18n-20.16.0-1.module+el9+1046+e6a569ad.x86_64.rpm
MD5: e776ffff97bccc9ded412e508efba94c
SHA-256: 634a82c8b2f2b9d1356fdcf463c520078384bf1312dd40ce36be53bcbd8640ea
Size: 8.42 MB - nodejs-nodemon-3.0.1-1.module+el9+1046+e6a569ad.noarch.rpm
MD5: 14b5c16a71f8ea6de7018fa709b0388e
SHA-256: 005e4cdce4d2a0616573eb780f77c278e8b6dc8ae1f7f20afc405b4f43603fa0
Size: 268.34 kB - nodejs-packaging-2021.06-4.module+el9+1046+e6a569ad.noarch.rpm
MD5: 3c68c35a46cf185671babbe7fb8c80d7
SHA-256: bb852f1f704822daef09bbbe0b9e508dd22c5519844dbf851fcfde1021bb6837
Size: 19.91 kB - nodejs-packaging-bundler-2021.06-4.module+el9+1046+e6a569ad.noarch.rpm
MD5: a36d3b6d67e18a86dbb933255e337fd6
SHA-256: 403268d68ffc89f653587fcaa88919d64a1c3447c0a25ac35fc36cc3ac46e104
Size: 9.76 kB - npm-10.8.1-1.20.16.0.1.module+el9+1046+e6a569ad.x86_64.rpm
MD5: bc2740cd10653cf6852a6b2f970cee9c
SHA-256: 9f31b47298cb5a0cd5e2a07c19f49029fbf6cad84eebf8d0db139eca5ef98aac
Size: 1.85 MB