Red Hat Product Errata RHSA-2016:2101 - Security Advisory

Issued:: 2016-10-27
Updated:: 2016-10-27

RHSA-2016:2101 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: nodejs and nodejs-tough-cookie security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for nodejs-tough-cookie and nodejs is now available for Red Hat
OpenShift Container Platform 3.1, 3.2, and 3.3.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.

Security Fix(es):

A regular expression denial of service flaw was found in Tough-Cookie. An
attacker able to make an application using Touch-Cookie to parse a
sufficiently large HTTP request Cookie header could cause the application
to consume an excessive amount of CPU. (CVE-2016-1000232)
It was found that the reason argument in ServerResponse#writeHead() was
not properly validated. A remote attacker could possibly use this flaw to
conduct an HTTP response splitting attack via a specially-crafted HTTP
request. (CVE-2016-5325)

This advisory contains the RPM packages for this release. See the following
advisory for the container images fixes for this release:

https://access.redhat.com/errata/RHBA-2016:2100

Solution

For details on how to apply this update in OpenShift Container Platform 3, see the Solution section of the following advisory:

https://access.redhat.com/errata/RHBA-2016:2100

Affected Products

Red Hat OpenShift Container Platform 3.3 x86_64
Red Hat OpenShift Container Platform 3.2 x86_64
Red Hat OpenShift Container Platform 3.1 x86_64

Fixes

BZ - 1346910 - CVE-2016-5325 nodejs: reason argument in ServerResponse#writeHead() not properly validated
BZ - 1359818 - CVE-2016-1000232 nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons
BZ - 1382854 - [3.1,3.2,3.3] nodejs rpm updates for logging-auth-proxy

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 3.3

SRPM
nodejs-0.10.47-2.el7.src.rpm	SHA-256: 158450d14a480b2bcad142a6cd11e33771b47a8bf274b85fd1d3d4eb328f7301
nodejs-tough-cookie-2.3.1-1.el7.src.rpm	SHA-256: 5b0a9300aee65cb124a5894d42304d47aeba5b012beaae735e664e7885293092
x86_64
nodejs-0.10.47-2.el7.x86_64.rpm	SHA-256: 2b2770e65a53236cbca67739fac226ec44b2372c8da82f20d141d8bd005d3d14
nodejs-debuginfo-0.10.47-2.el7.x86_64.rpm	SHA-256: 303aa9c2adc3372541aacb799b1b38982a69408ac97e20300854c05f3c96d12d
nodejs-devel-0.10.47-2.el7.x86_64.rpm	SHA-256: d65f2483bdbcfe333c088419bc057ccf267ec46f70add119c29264dbf24c9c88
nodejs-docs-0.10.47-2.el7.noarch.rpm	SHA-256: 3a293a588f45aa87718e8c8b0e13f1350a904236ca77713399037ee55c6ad3b6
nodejs-tough-cookie-2.3.1-1.el7.noarch.rpm	SHA-256: 7b9852687fb60d32ae8ddda3241f0657861c3fa134f4000972f0f9fbf0175cb6

Red Hat OpenShift Container Platform 3.2

SRPM
nodejs-0.10.47-2.el7.src.rpm	SHA-256: 158450d14a480b2bcad142a6cd11e33771b47a8bf274b85fd1d3d4eb328f7301
nodejs-tough-cookie-2.3.1-1.el7.src.rpm	SHA-256: 5b0a9300aee65cb124a5894d42304d47aeba5b012beaae735e664e7885293092
x86_64
nodejs-0.10.47-2.el7.x86_64.rpm	SHA-256: 2b2770e65a53236cbca67739fac226ec44b2372c8da82f20d141d8bd005d3d14
nodejs-debuginfo-0.10.47-2.el7.x86_64.rpm	SHA-256: 303aa9c2adc3372541aacb799b1b38982a69408ac97e20300854c05f3c96d12d
nodejs-devel-0.10.47-2.el7.x86_64.rpm	SHA-256: d65f2483bdbcfe333c088419bc057ccf267ec46f70add119c29264dbf24c9c88
nodejs-docs-0.10.47-2.el7.noarch.rpm	SHA-256: 3a293a588f45aa87718e8c8b0e13f1350a904236ca77713399037ee55c6ad3b6
nodejs-tough-cookie-2.3.1-1.el7.noarch.rpm	SHA-256: 7b9852687fb60d32ae8ddda3241f0657861c3fa134f4000972f0f9fbf0175cb6

Red Hat OpenShift Container Platform 3.1

SRPM
nodejs-0.10.47-2.el7.src.rpm	SHA-256: 158450d14a480b2bcad142a6cd11e33771b47a8bf274b85fd1d3d4eb328f7301
nodejs-tough-cookie-2.3.1-1.el7.src.rpm	SHA-256: 5b0a9300aee65cb124a5894d42304d47aeba5b012beaae735e664e7885293092
x86_64
nodejs-0.10.47-2.el7.x86_64.rpm	SHA-256: 2b2770e65a53236cbca67739fac226ec44b2372c8da82f20d141d8bd005d3d14
nodejs-debuginfo-0.10.47-2.el7.x86_64.rpm	SHA-256: 303aa9c2adc3372541aacb799b1b38982a69408ac97e20300854c05f3c96d12d
nodejs-devel-0.10.47-2.el7.x86_64.rpm	SHA-256: d65f2483bdbcfe333c088419bc057ccf267ec46f70add119c29264dbf24c9c88
nodejs-docs-0.10.47-2.el7.noarch.rpm	SHA-256: 3a293a588f45aa87718e8c8b0e13f1350a904236ca77713399037ee55c6ad3b6
nodejs-tough-cookie-2.3.1-1.el7.noarch.rpm	SHA-256: 7b9852687fb60d32ae8ddda3241f0657861c3fa134f4000972f0f9fbf0175cb6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories