Red Hat Security Advisory 2021-3280-01

Red Hat Security Advisory 2021-3280-01: Posted Aug 29, 2021; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2021-3280-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include denial of service, path sanitization, and use-after-free vulnerabilities.; tags | advisory, denial of service, javascript, vulnerability; systems | linux, redhat; advisories | CVE-2020-28469, CVE-2020-7788, CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672; SHA-256 | f81e943687d783d753939b62f38493f546f7dcb8c0ef9e04785e923bb274be6e; Download | Favorite | View

Red Hat Security Advisory 2021-3280-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update
Advisory ID:       RHSA-2021:3280-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3280
Issue date:        2021-08-26
CVE Names:         CVE-2020-7788 CVE-2020-28469 CVE-2021-3672 
                   CVE-2021-22930 CVE-2021-22931 CVE-2021-22939 
                   CVE-2021-22940 CVE-2021-23343 CVE-2021-32803 
                   CVE-2021-32804 
=====================================================================

1. Summary:

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now
available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language. 

The following packages have been upgraded to a later upstream version:
rh-nodejs14-nodejs (14.17.5).

Security Fix(es):

* nodejs: Use-after-free on close http2 on stream canceling
(CVE-2021-22930)

* nodejs: Use-after-free on close http2 on stream canceling
(CVE-2021-22940)

* nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)

* nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)

* c-ares: Missing input validation of host names may lead to domain
hijacking (CVE-2021-3672)

* nodejs: Improper handling of untypical characters in domain names
(CVE-2021-22931)

* nodejs-tar: Insufficient symlink protection allowing arbitrary file
creation and overwrite (CVE-2021-32803)

* nodejs-tar: Insufficient absolute path sanitization allowing arbitrary
file creation and overwrite (CVE-2021-32804)

* nodejs: Incomplete validation of tls rejectUnauthorized parameter
(CVE-2021-22939)

* nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
(CVE-2021-23343)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1907444 - CVE-2020-7788 nodejs-ini: Prototype pollution via malicious INI file
1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
1988342 - CVE-2021-3672 c-ares: Missing input validation of host names may lead to domain hijacking
1988394 - CVE-2021-22930 nodejs: Use-after-free on close http2 on stream canceling
1990409 - CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
1990415 - CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
1993019 - CVE-2021-22931 nodejs: Improper handling of untypical characters in domain names
1993029 - CVE-2021-22940 nodejs: Use-after-free on close http2 on stream canceling
1993039 - CVE-2021-22939 nodejs: Incomplete validation of tls rejectUnauthorized parameter

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm

noarch:
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm

ppc64le:
rh-nodejs14-nodejs-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.ppc64le.rpm

s390x:
rh-nodejs14-nodejs-14.17.5-1.el7.s390x.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.s390x.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.s390x.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.s390x.rpm

x86_64:
rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):

Source:
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm

noarch:
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm

ppc64le:
rh-nodejs14-nodejs-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.ppc64le.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.ppc64le.rpm

s390x:
rh-nodejs14-nodejs-14.17.5-1.el7.s390x.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.s390x.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.s390x.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.s390x.rpm

x86_64:
rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm

noarch:
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm

x86_64:
rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-7788
https://access.redhat.com/security/cve/CVE-2020-28469
https://access.redhat.com/security/cve/CVE-2021-3672
https://access.redhat.com/security/cve/CVE-2021-22930
https://access.redhat.com/security/cve/CVE-2021-22931
https://access.redhat.com/security/cve/CVE-2021-22939
https://access.redhat.com/security/cve/CVE-2021-22940
https://access.redhat.com/security/cve/CVE-2021-23343
https://access.redhat.com/security/cve/CVE-2021-32803
https://access.redhat.com/security/cve/CVE-2021-32804
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYSe+ZdzjgjWX9erEAQhYcg/7B3abtCo+3cNCafs6xxdE/gTXji7SK5EY
1HRy0aXRd5bXCuRKnfNAPkkmhGKOfa0J+0TuZotF/Sh/20VtkGYIrwMIH9X/OYcl
kDsv8KkGtFgTKg0rRRCXG3FV+hPDh4r0F0WWxssmXjunAYnOzyxlntafSTnW2FGO
igl7caJv6zh3YJsUB/ITn4JCUDCClWR6KEF7gasKnaNpoap52HfHa7qYSUpxaz1K
/z3atfAOYJkj1aSSj4327iE1i8SbyYnuPD5m2RZUdHxZrMnVbsd+lVkrrd66KV0q
Z58mal5whSgZ6U7jt1oiQBafYvm3mLoyFm3URC9xqPhDbapvL0++mDov5OQNUoyk
zRqs1vaV7f27DiQuGtCxCcy+34jIP5PpmazpkWG0oTYYkgt6hpda3+/A4GEvymNF
8xKTpekyasjYpWZ8sX4FOAo5vnqedwFtQoFJ7Q0YoO+DUje2oaw9I9Cm1BGyjTeq
/VMJkslLT17lRSrJwNvWBxrUg849nFAd1xMEcAyMhJrlhG6zqe2zGoUCJokaPaxr
Cx0pezZ8ERabp8kTBS5Jm7vN9yBymwVsEw32QRV/2Mp2Zdi1cY6Y9UJJQ7N+YjjJ
5nsPiho66PlZ3E0CIU+Ntr03ROW3X8E2u15ACUsGnZdSsqt36QWKmoKCP4d+8fNI
z53onxTqYlM=
=JjAl
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Red Hat Security Advisory 2021-3280-01

Red Hat Security Advisory 2021-3280-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2021-3280-01

Share This

Red Hat Security Advisory 2021-3280-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems