-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-nodejs8-nodejs security update Advisory ID: RHSA-2020:2625-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2020:2625 Issue date: 2020-06-18 CVE Names: CVE-2017-18077 CVE-2017-18869 CVE-2018-3737 CVE-2018-3750 CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 ==================================================================== 1. Summary: An update for rh-nodejs8-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: rh-nodejs8-nodejs (8.17.0). (BZ#1829414) Security Fix(es): * nodejs-brace-expansion: Regular expression denial of service (CVE-2017-18077) * nodejs-chownr: TOCTOU vulnerability in `chownr` function in chownr.js (CVE-2017-18869) * nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js (CVE-2018-3737) * nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-3750) * npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775) * npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776) * npm: Global node_modules Binary Overwrite (CVE-2019-16777) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1448380 - CVE-2017-18077 nodejs-brace-expansion: Regular expression denial of service 1567228 - CVE-2018-3737 nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js 1578246 - CVE-2018-3750 nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties 1611613 - CVE-2017-18869 nodejs-chownr: TOCTOU vulnerability in `chownr` function in chownr.js 1788301 - CVE-2019-16777 npm: Global node_modules Binary Overwrite 1788305 - CVE-2019-16775 npm: Symlink reference outside of node_modules folder through the bin field upon installation 1788310 - CVE-2019-16776 npm: Arbitrary file write via constructed entry in the package.json bin field 1829414 - rh-nodejs8: One extra rebuild to deliver the last upstream version 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm aarch64: rh-nodejs8-nodejs-8.17.0-2.el7.aarch64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.aarch64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.aarch64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.aarch64.rpm noarch: rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm ppc64le: rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm s390x: rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm aarch64: rh-nodejs8-nodejs-8.17.0-2.el7.aarch64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.aarch64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.aarch64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.aarch64.rpm noarch: rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm ppc64le: rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm s390x: rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm x86_64: rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6): Source: rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm noarch: rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm ppc64le: rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm s390x: rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm x86_64: rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7): Source: rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm noarch: rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm ppc64le: rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm s390x: rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm x86_64: rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm noarch: rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm x86_64: rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-18077 https://access.redhat.com/security/cve/CVE-2017-18869 https://access.redhat.com/security/cve/CVE-2018-3737 https://access.redhat.com/security/cve/CVE-2018-3750 https://access.redhat.com/security/cve/CVE-2019-16775 https://access.redhat.com/security/cve/CVE-2019-16776 https://access.redhat.com/security/cve/CVE-2019-16777 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuw0ztzjgjWX9erEAQiBVQ/+PxZZZMZk09FqSQNh/LOjAMPpXyomeMKQ e4viEd1x0s8BoXtzeB5MZlkdQ4y2I1od+9mwPTIcnJfi37IjPq4HOtCf/IAhmYLG XeCp6zGQ2pfe6cvEgRZC/1h650yQSBXdDvCZPpTix2r2HYYXbbf/XwNbGh5rX31b pyqAGc9018B5YAaZ3wZagWBvEQHU+PSCS3wCirtQkhi+3GbYStUXd4LXsNKTeuA7 Q5qgCsOKE9AyNil6zgyvDOzisCY1KBP4FvaDXMHn/qAh62x8lNwe+PibbvqlKbkp 05RniL7sqkgMA6PBjVWodFuFLIBi1pMEXAUW+0JF+HZ3Qh8johwQ0uWIJJIwPAL1 4cro6BtUHqQrGo8LdHtal2vEL2wsTlh1v9m7PD0jsdoqDSkRKnNGQdYbDpq5/cdc 0a9rklQWmHyi9e71AscusYdUqUOVoLFgt4+HWFEKawtOzhlWqjN+EvszGl7NF3Zm H9Tcfsz4NN+/GN6FT4lUGX/i7KC7gGvk9+GQvYl07GPOHEd1Cao0NnyZyMDXf2Ur cUljeo4SOI+gB6coMdK7/0iaNZoI9fl3O/YE7Y7FTPxibl0b8v06c+2iXk621Lyn WPH11L0l3v9rxBFS94Q+HZEIOlLf6HRZusQWxU0YHGiv8tiNLLDE5Q56qg4poQ2W D95t64HIaeU=uVEr -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce