Red Hat Security Advisory 2022-7044-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.
7e022ca70787cce1eb3e02a0838ebec4d8b3c6738820e4c3f4bc45f39e0bef47-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: rh-nodejs14-nodejs security update
Advisory ID: RHSA-2022:7044-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7044
Issue date: 2022-10-19
CVE Names: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533
CVE-2021-44906 CVE-2022-21824 CVE-2022-35256
====================================================================
1. Summary:
An update for rh-nodejs14-nodejs is now available for Red Hat Software
Collections.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
3. Description:
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: Improper handling of URI Subject Alternative Names
(CVE-2021-44531)
* nodejs: Certificate Verification Bypass via String Injection
(CVE-2021-44532)
* nodejs: Incorrect handling of certificate subject and issuer fields
(CVE-2021-44533)
* minimist: prototype pollution (CVE-2021-44906)
* nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
(CVE-2022-35256)
* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names
2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection
2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields
2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties
2066009 - CVE-2021-44906 minimist: prototype pollution
2130518 - CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
6. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
rh-nodejs14-nodejs-14.20.1-2.el7.src.rpm
noarch:
rh-nodejs14-nodejs-docs-14.20.1-2.el7.noarch.rpm
ppc64le:
rh-nodejs14-nodejs-14.20.1-2.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.ppc64le.rpm
rh-nodejs14-nodejs-devel-14.20.1-2.el7.ppc64le.rpm
rh-nodejs14-npm-6.14.17-14.20.1.2.el7.ppc64le.rpm
s390x:
rh-nodejs14-nodejs-14.20.1-2.el7.s390x.rpm
rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.s390x.rpm
rh-nodejs14-nodejs-devel-14.20.1-2.el7.s390x.rpm
rh-nodejs14-npm-6.14.17-14.20.1.2.el7.s390x.rpm
x86_64:
rh-nodejs14-nodejs-14.20.1-2.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.20.1-2.el7.x86_64.rpm
rh-nodejs14-npm-6.14.17-14.20.1.2.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
rh-nodejs14-nodejs-14.20.1-2.el7.src.rpm
noarch:
rh-nodejs14-nodejs-docs-14.20.1-2.el7.noarch.rpm
x86_64:
rh-nodejs14-nodejs-14.20.1-2.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.20.1-2.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.20.1-2.el7.x86_64.rpm
rh-nodejs14-npm-6.14.17-14.20.1.2.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-44531
https://access.redhat.com/security/cve/CVE-2021-44532
https://access.redhat.com/security/cve/CVE-2021-44533
https://access.redhat.com/security/cve/CVE-2021-44906
https://access.redhat.com/security/cve/CVE-2022-21824
https://access.redhat.com/security/cve/CVE-2022-35256
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY1Bkk9zjgjWX9erEAQh9DQ//dSOPbtnYD3f9AvLUnQpnJb7OyGisGpPW
von8hNiTCD5J3FP2DlY3/wGX9H1g2BXmuwpojS/sh17E2+sHldBTMk5kxT8bkBkB
ZWnmIwqA1PfjAO4FEc7MtePJXsqCrBne63Bpo7k3ALc4hHtP2BEMkjA4ZOJJDl82
ydj74PPr0uVuZAn0jcLKsIPq1OmUW9jNuzY0p5uqhXKVP4XfFWfpi2dd34Nej+dv
RbSABk5jZ0R6bQlPOdG4bI8vevvmhkeAqkcWgHWBZ9n34SFdiGKFdxUI3+SM2zvl
tB7zuDc9rsLnF7DLZq3HVG3eOVdxJ1MKwap89iQrmQCy1kz4iq3hZbAKJHIjLTEy
gWpwYI9nCamIsNwYB1pUM5RexkKTPKDRttZh9hff2RO9QCvdnecw3386blkhsb8s
XJMAywflJeBrTnMPQ9tSNx60CgGI8JkU40RtnfwwS5yS1upd56jYbL+W4CzbZmzd
bj48/l+fl3Ny0bGZ6QAG0ZWrH0eTs6hL/xYKFu2Z7jDteP9ITE1kSKeISjE/G0Rb
Hjjp6sfEiR07PEJx2/Lne+o5JvCGu7wviT2SnJIfjX9C056CtO4IjRXEqdPqZqYq
3+T1AOLM1M2vu55WagYhnTtfGefIj5EScstARXZjz5pF0dQyhNZNO+p/S0coNUWz
y4v1DFKlYtA=JvnP
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed