- Issued:
- 2017-01-02
- Updated:
- 2017-01-02
RHSA-2017:0002 - Security Advisory
Synopsis
Important: rh-nodejs4-nodejs and rh-nodejs4-http-parser security update
Type/Severity
Security Advisory: Important
Topic
An update for rh-nodejs4-nodejs and rh-nodejs4-http-parser is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.
The following packages have been upgraded to a newer upstream version: rh-nodejs4-nodejs (4.6.2), rh-nodejs4-http-parser (2.7.0). (BZ#1388097)
Security Fix(es):
- It was found that Node.js' tls.checkServerIdentity() function did not properly validate server certificates containing wildcards. A malicious TLS server could use this flaw to get a specially crafted certificate accepted by a Node.js TLS client. (CVE-2016-7099)
- It was found that the V8 Zone class was vulnerable to integer overflow when allocating new memory (Zone::New() and Zone::NewExpand()). An attacker with the ability to manipulate a large zone could crash the application or, potentially, execute arbitrary code with the application privileges. (CVE-2016-1669)
- A vulnerability was found in c-ares, a DNS resolver library bundled with Node.js. A hostname with an escaped trailing dot would have its size calculated incorrectly, leading to a single byte written beyond the end of a buffer on the heap. An attacker able to provide such a hostname to an application using c-ares, could potentially cause that application to crash. (CVE-2016-5180)
- It was found that the reason argument in ServerResponse#writeHead() was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request. (CVE-2016-5325)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.2 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.1 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
Fixes
- BZ - 1335449 - CVE-2016-1669 V8: integer overflow leading to buffer overflow in Zone::New
- BZ - 1346910 - CVE-2016-5325 nodejs: reason argument in ServerResponse#writeHead() not properly validated
- BZ - 1379921 - CVE-2016-7099 nodejs: wildcard certificates not properly validated
- BZ - 1380463 - CVE-2016-5180 c-ares: Single byte out of buffer write
- BZ - 1388097 - Rebase nodejs to latest v4 release
CVEs
References
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5
| SRPM | |
|---|---|
| rh-nodejs4-http-parser-2.7.0-2.el7.src.rpm | SHA-256: d645d22aaecfbe97ffe86fdb3a7b0bb2470b9228af74eb6f5ec0a530c441d88a |
| rh-nodejs4-nodejs-4.6.2-4.el7.src.rpm | SHA-256: 6c309ebb216dd5f4a834295588dcd17b6447ece34191b5cd6f4884a0f43747ba |
| x86_64 | |
| rh-nodejs4-http-parser-2.7.0-2.el7.x86_64.rpm | SHA-256: 77e8cd585a929adffc170a07e49c6ab4c17c4c344ec4f8de1a94bbbcf8b1ec1d |
| rh-nodejs4-http-parser-debuginfo-2.7.0-2.el7.x86_64.rpm | SHA-256: 0c64787d0b47e8c0b896a931cf94984bd48d48efc4140a9aea5ca6ce95533299 |
| rh-nodejs4-http-parser-devel-2.7.0-2.el7.x86_64.rpm | SHA-256: b127c200586299c74fd8e251373e1f3e55b48083f3e92290dc27128990a2098c |
| rh-nodejs4-nodejs-4.6.2-4.el7.x86_64.rpm | SHA-256: d3221705f2efc44702128dfe709e35bc566594ba288f29fbd36496c9a4d2de57 |
| rh-nodejs4-nodejs-debuginfo-4.6.2-4.el7.x86_64.rpm | SHA-256: 260bca696bf1bb780ca0a99895bca2da2f993472c2b4de12847279fbdab6fdbd |
| rh-nodejs4-nodejs-devel-4.6.2-4.el7.x86_64.rpm | SHA-256: e97da41edf722135fe53bfd70a428615bf837fd7d666da004f7fe51016281c8e |
| rh-nodejs4-nodejs-docs-4.6.2-4.el7.noarch.rpm | SHA-256: 02d2ae74a18ac55a0a8512f9eeda22d1115dbd297d744ac1c840991e85192d6b |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4
| SRPM | |
|---|---|
| rh-nodejs4-http-parser-2.7.0-2.el7.src.rpm | SHA-256: d645d22aaecfbe97ffe86fdb3a7b0bb2470b9228af74eb6f5ec0a530c441d88a |
| rh-nodejs4-nodejs-4.6.2-4.el7.src.rpm | SHA-256: 6c309ebb216dd5f4a834295588dcd17b6447ece34191b5cd6f4884a0f43747ba |
| x86_64 | |
| rh-nodejs4-http-parser-2.7.0-2.el7.x86_64.rpm | SHA-256: 77e8cd585a929adffc170a07e49c6ab4c17c4c344ec4f8de1a94bbbcf8b1ec1d |
| rh-nodejs4-http-parser-debuginfo-2.7.0-2.el7.x86_64.rpm | SHA-256: 0c64787d0b47e8c0b896a931cf94984bd48d48efc4140a9aea5ca6ce95533299 |
| rh-nodejs4-http-parser-devel-2.7.0-2.el7.x86_64.rpm | SHA-256: b127c200586299c74fd8e251373e1f3e55b48083f3e92290dc27128990a2098c |
| rh-nodejs4-nodejs-4.6.2-4.el7.x86_64.rpm | SHA-256: d3221705f2efc44702128dfe709e35bc566594ba288f29fbd36496c9a4d2de57 |
| rh-nodejs4-nodejs-debuginfo-4.6.2-4.el7.x86_64.rpm | SHA-256: 260bca696bf1bb780ca0a99895bca2da2f993472c2b4de12847279fbdab6fdbd |
| rh-nodejs4-nodejs-devel-4.6.2-4.el7.x86_64.rpm | SHA-256: e97da41edf722135fe53bfd70a428615bf837fd7d666da004f7fe51016281c8e |
| rh-nodejs4-nodejs-docs-4.6.2-4.el7.noarch.rpm | SHA-256: 02d2ae74a18ac55a0a8512f9eeda22d1115dbd297d744ac1c840991e85192d6b |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3
| SRPM | |
|---|---|
| rh-nodejs4-http-parser-2.7.0-2.el7.src.rpm | SHA-256: d645d22aaecfbe97ffe86fdb3a7b0bb2470b9228af74eb6f5ec0a530c441d88a |
| rh-nodejs4-nodejs-4.6.2-4.el7.src.rpm | SHA-256: 6c309ebb216dd5f4a834295588dcd17b6447ece34191b5cd6f4884a0f43747ba |
| x86_64 | |
| rh-nodejs4-http-parser-2.7.0-2.el7.x86_64.rpm | SHA-256: 77e8cd585a929adffc170a07e49c6ab4c17c4c344ec4f8de1a94bbbcf8b1ec1d |
| rh-nodejs4-http-parser-debuginfo-2.7.0-2.el7.x86_64.rpm | SHA-256: 0c64787d0b47e8c0b896a931cf94984bd48d48efc4140a9aea5ca6ce95533299 |
| rh-nodejs4-http-parser-devel-2.7.0-2.el7.x86_64.rpm | SHA-256: b127c200586299c74fd8e251373e1f3e55b48083f3e92290dc27128990a2098c |
| rh-nodejs4-nodejs-4.6.2-4.el7.x86_64.rpm | SHA-256: d3221705f2efc44702128dfe709e35bc566594ba288f29fbd36496c9a4d2de57 |
| rh-nodejs4-nodejs-debuginfo-4.6.2-4.el7.x86_64.rpm | SHA-256: 260bca696bf1bb780ca0a99895bca2da2f993472c2b4de12847279fbdab6fdbd |
| rh-nodejs4-nodejs-devel-4.6.2-4.el7.x86_64.rpm | SHA-256: e97da41edf722135fe53bfd70a428615bf837fd7d666da004f7fe51016281c8e |
| rh-nodejs4-nodejs-docs-4.6.2-4.el7.noarch.rpm | SHA-256: 02d2ae74a18ac55a0a8512f9eeda22d1115dbd297d744ac1c840991e85192d6b |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.2
| SRPM | |
|---|---|
| rh-nodejs4-http-parser-2.7.0-2.el7.src.rpm | SHA-256: d645d22aaecfbe97ffe86fdb3a7b0bb2470b9228af74eb6f5ec0a530c441d88a |
| rh-nodejs4-nodejs-4.6.2-4.el7.src.rpm | SHA-256: 6c309ebb216dd5f4a834295588dcd17b6447ece34191b5cd6f4884a0f43747ba |
| x86_64 | |
| rh-nodejs4-http-parser-2.7.0-2.el7.x86_64.rpm | SHA-256: 77e8cd585a929adffc170a07e49c6ab4c17c4c344ec4f8de1a94bbbcf8b1ec1d |
| rh-nodejs4-http-parser-debuginfo-2.7.0-2.el7.x86_64.rpm | SHA-256: 0c64787d0b47e8c0b896a931cf94984bd48d48efc4140a9aea5ca6ce95533299 |
| rh-nodejs4-http-parser-devel-2.7.0-2.el7.x86_64.rpm | SHA-256: b127c200586299c74fd8e251373e1f3e55b48083f3e92290dc27128990a2098c |
| rh-nodejs4-nodejs-4.6.2-4.el7.x86_64.rpm | SHA-256: d3221705f2efc44702128dfe709e35bc566594ba288f29fbd36496c9a4d2de57 |
| rh-nodejs4-nodejs-debuginfo-4.6.2-4.el7.x86_64.rpm | SHA-256: 260bca696bf1bb780ca0a99895bca2da2f993472c2b4de12847279fbdab6fdbd |
| rh-nodejs4-nodejs-devel-4.6.2-4.el7.x86_64.rpm | SHA-256: e97da41edf722135fe53bfd70a428615bf837fd7d666da004f7fe51016281c8e |
| rh-nodejs4-nodejs-docs-4.6.2-4.el7.noarch.rpm | SHA-256: 02d2ae74a18ac55a0a8512f9eeda22d1115dbd297d744ac1c840991e85192d6b |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.1
| SRPM | |
|---|---|
| rh-nodejs4-http-parser-2.7.0-2.el7.src.rpm | SHA-256: d645d22aaecfbe97ffe86fdb3a7b0bb2470b9228af74eb6f5ec0a530c441d88a |
| rh-nodejs4-nodejs-4.6.2-4.el7.src.rpm | SHA-256: 6c309ebb216dd5f4a834295588dcd17b6447ece34191b5cd6f4884a0f43747ba |
| x86_64 | |
| rh-nodejs4-http-parser-2.7.0-2.el7.x86_64.rpm | SHA-256: 77e8cd585a929adffc170a07e49c6ab4c17c4c344ec4f8de1a94bbbcf8b1ec1d |
| rh-nodejs4-http-parser-debuginfo-2.7.0-2.el7.x86_64.rpm | SHA-256: 0c64787d0b47e8c0b896a931cf94984bd48d48efc4140a9aea5ca6ce95533299 |
| rh-nodejs4-http-parser-devel-2.7.0-2.el7.x86_64.rpm | SHA-256: b127c200586299c74fd8e251373e1f3e55b48083f3e92290dc27128990a2098c |
| rh-nodejs4-nodejs-4.6.2-4.el7.x86_64.rpm | SHA-256: d3221705f2efc44702128dfe709e35bc566594ba288f29fbd36496c9a4d2de57 |
| rh-nodejs4-nodejs-debuginfo-4.6.2-4.el7.x86_64.rpm | SHA-256: 260bca696bf1bb780ca0a99895bca2da2f993472c2b4de12847279fbdab6fdbd |
| rh-nodejs4-nodejs-devel-4.6.2-4.el7.x86_64.rpm | SHA-256: e97da41edf722135fe53bfd70a428615bf837fd7d666da004f7fe51016281c8e |
| rh-nodejs4-nodejs-docs-4.6.2-4.el7.noarch.rpm | SHA-256: 02d2ae74a18ac55a0a8512f9eeda22d1115dbd297d744ac1c840991e85192d6b |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs4-http-parser-2.7.0-2.el7.src.rpm | SHA-256: d645d22aaecfbe97ffe86fdb3a7b0bb2470b9228af74eb6f5ec0a530c441d88a |
| rh-nodejs4-nodejs-4.6.2-4.el7.src.rpm | SHA-256: 6c309ebb216dd5f4a834295588dcd17b6447ece34191b5cd6f4884a0f43747ba |
| x86_64 | |
| rh-nodejs4-http-parser-2.7.0-2.el7.x86_64.rpm | SHA-256: 77e8cd585a929adffc170a07e49c6ab4c17c4c344ec4f8de1a94bbbcf8b1ec1d |
| rh-nodejs4-http-parser-debuginfo-2.7.0-2.el7.x86_64.rpm | SHA-256: 0c64787d0b47e8c0b896a931cf94984bd48d48efc4140a9aea5ca6ce95533299 |
| rh-nodejs4-http-parser-devel-2.7.0-2.el7.x86_64.rpm | SHA-256: b127c200586299c74fd8e251373e1f3e55b48083f3e92290dc27128990a2098c |
| rh-nodejs4-nodejs-4.6.2-4.el7.x86_64.rpm | SHA-256: d3221705f2efc44702128dfe709e35bc566594ba288f29fbd36496c9a4d2de57 |
| rh-nodejs4-nodejs-debuginfo-4.6.2-4.el7.x86_64.rpm | SHA-256: 260bca696bf1bb780ca0a99895bca2da2f993472c2b4de12847279fbdab6fdbd |
| rh-nodejs4-nodejs-devel-4.6.2-4.el7.x86_64.rpm | SHA-256: e97da41edf722135fe53bfd70a428615bf837fd7d666da004f7fe51016281c8e |
| rh-nodejs4-nodejs-docs-4.6.2-4.el7.noarch.rpm | SHA-256: 02d2ae74a18ac55a0a8512f9eeda22d1115dbd297d744ac1c840991e85192d6b |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7
| SRPM | |
|---|---|
| rh-nodejs4-http-parser-2.7.0-2.el6.src.rpm | SHA-256: 6417783c5027f77eb95240d8c274e50e3c2b2e17e1b20d5d748b227ce7c282c1 |
| rh-nodejs4-nodejs-4.6.2-4.el6.src.rpm | SHA-256: 12e266d9332eee35f9a137ada4a6265916b9398ca708dec7704d5204f58caf92 |
| x86_64 | |
| rh-nodejs4-http-parser-2.7.0-2.el6.x86_64.rpm | SHA-256: d9f8034a0db35f3e2ca1e6b9ccbd4c0f713115106e7ba02f6aac1ce8d10e19d9 |
| rh-nodejs4-http-parser-debuginfo-2.7.0-2.el6.x86_64.rpm | SHA-256: 15347098ad9efaebbebbd354bdee2fbc5484b8cadf4f6a9a8095398aa991af9b |
| rh-nodejs4-http-parser-devel-2.7.0-2.el6.x86_64.rpm | SHA-256: abe3bb38bcca021bc9019d25b2f580093e1906e4b2f2c5a81c6b4def5760e9d8 |
| rh-nodejs4-nodejs-4.6.2-4.el6.x86_64.rpm | SHA-256: ec7520ea07c0ad690338a7857dd66a3c36473d5ea4f2f8c516d10c442e3d1308 |
| rh-nodejs4-nodejs-debuginfo-4.6.2-4.el6.x86_64.rpm | SHA-256: b78527617bc7c2c53a7313f4e6efd29e292fe750e9fa6083ee27c97a9c0c0367 |
| rh-nodejs4-nodejs-devel-4.6.2-4.el6.x86_64.rpm | SHA-256: cfdbd051f2a90de9165276c7943e121035893063c3022c4d3df8aa9996652973 |
| rh-nodejs4-nodejs-docs-4.6.2-4.el6.noarch.rpm | SHA-256: 69e04779cb3f72d3a23331c3808783e5d15124ac73cd55d76482e04e9953b834 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6
| SRPM | |
|---|---|
| rh-nodejs4-http-parser-2.7.0-2.el6.src.rpm | SHA-256: 6417783c5027f77eb95240d8c274e50e3c2b2e17e1b20d5d748b227ce7c282c1 |
| rh-nodejs4-nodejs-4.6.2-4.el6.src.rpm | SHA-256: 12e266d9332eee35f9a137ada4a6265916b9398ca708dec7704d5204f58caf92 |
| x86_64 | |
| rh-nodejs4-http-parser-2.7.0-2.el6.x86_64.rpm | SHA-256: d9f8034a0db35f3e2ca1e6b9ccbd4c0f713115106e7ba02f6aac1ce8d10e19d9 |
| rh-nodejs4-http-parser-debuginfo-2.7.0-2.el6.x86_64.rpm | SHA-256: 15347098ad9efaebbebbd354bdee2fbc5484b8cadf4f6a9a8095398aa991af9b |
| rh-nodejs4-http-parser-devel-2.7.0-2.el6.x86_64.rpm | SHA-256: abe3bb38bcca021bc9019d25b2f580093e1906e4b2f2c5a81c6b4def5760e9d8 |
| rh-nodejs4-nodejs-4.6.2-4.el6.x86_64.rpm | SHA-256: ec7520ea07c0ad690338a7857dd66a3c36473d5ea4f2f8c516d10c442e3d1308 |
| rh-nodejs4-nodejs-debuginfo-4.6.2-4.el6.x86_64.rpm | SHA-256: b78527617bc7c2c53a7313f4e6efd29e292fe750e9fa6083ee27c97a9c0c0367 |
| rh-nodejs4-nodejs-devel-4.6.2-4.el6.x86_64.rpm | SHA-256: cfdbd051f2a90de9165276c7943e121035893063c3022c4d3df8aa9996652973 |
| rh-nodejs4-nodejs-docs-4.6.2-4.el6.noarch.rpm | SHA-256: 69e04779cb3f72d3a23331c3808783e5d15124ac73cd55d76482e04e9953b834 |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs4-http-parser-2.7.0-2.el7.src.rpm | SHA-256: d645d22aaecfbe97ffe86fdb3a7b0bb2470b9228af74eb6f5ec0a530c441d88a |
| rh-nodejs4-nodejs-4.6.2-4.el7.src.rpm | SHA-256: 6c309ebb216dd5f4a834295588dcd17b6447ece34191b5cd6f4884a0f43747ba |
| x86_64 | |
| rh-nodejs4-http-parser-2.7.0-2.el7.x86_64.rpm | SHA-256: 77e8cd585a929adffc170a07e49c6ab4c17c4c344ec4f8de1a94bbbcf8b1ec1d |
| rh-nodejs4-http-parser-debuginfo-2.7.0-2.el7.x86_64.rpm | SHA-256: 0c64787d0b47e8c0b896a931cf94984bd48d48efc4140a9aea5ca6ce95533299 |
| rh-nodejs4-http-parser-devel-2.7.0-2.el7.x86_64.rpm | SHA-256: b127c200586299c74fd8e251373e1f3e55b48083f3e92290dc27128990a2098c |
| rh-nodejs4-nodejs-4.6.2-4.el7.x86_64.rpm | SHA-256: d3221705f2efc44702128dfe709e35bc566594ba288f29fbd36496c9a4d2de57 |
| rh-nodejs4-nodejs-debuginfo-4.6.2-4.el7.x86_64.rpm | SHA-256: 260bca696bf1bb780ca0a99895bca2da2f993472c2b4de12847279fbdab6fdbd |
| rh-nodejs4-nodejs-devel-4.6.2-4.el7.x86_64.rpm | SHA-256: e97da41edf722135fe53bfd70a428615bf837fd7d666da004f7fe51016281c8e |
| rh-nodejs4-nodejs-docs-4.6.2-4.el7.noarch.rpm | SHA-256: 02d2ae74a18ac55a0a8512f9eeda22d1115dbd297d744ac1c840991e85192d6b |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6
| SRPM | |
|---|---|
| rh-nodejs4-http-parser-2.7.0-2.el6.src.rpm | SHA-256: 6417783c5027f77eb95240d8c274e50e3c2b2e17e1b20d5d748b227ce7c282c1 |
| rh-nodejs4-nodejs-4.6.2-4.el6.src.rpm | SHA-256: 12e266d9332eee35f9a137ada4a6265916b9398ca708dec7704d5204f58caf92 |
| x86_64 | |
| rh-nodejs4-http-parser-2.7.0-2.el6.x86_64.rpm | SHA-256: d9f8034a0db35f3e2ca1e6b9ccbd4c0f713115106e7ba02f6aac1ce8d10e19d9 |
| rh-nodejs4-http-parser-debuginfo-2.7.0-2.el6.x86_64.rpm | SHA-256: 15347098ad9efaebbebbd354bdee2fbc5484b8cadf4f6a9a8095398aa991af9b |
| rh-nodejs4-http-parser-devel-2.7.0-2.el6.x86_64.rpm | SHA-256: abe3bb38bcca021bc9019d25b2f580093e1906e4b2f2c5a81c6b4def5760e9d8 |
| rh-nodejs4-nodejs-4.6.2-4.el6.x86_64.rpm | SHA-256: ec7520ea07c0ad690338a7857dd66a3c36473d5ea4f2f8c516d10c442e3d1308 |
| rh-nodejs4-nodejs-debuginfo-4.6.2-4.el6.x86_64.rpm | SHA-256: b78527617bc7c2c53a7313f4e6efd29e292fe750e9fa6083ee27c97a9c0c0367 |
| rh-nodejs4-nodejs-devel-4.6.2-4.el6.x86_64.rpm | SHA-256: cfdbd051f2a90de9165276c7943e121035893063c3022c4d3df8aa9996652973 |
| rh-nodejs4-nodejs-docs-4.6.2-4.el6.noarch.rpm | SHA-256: 69e04779cb3f72d3a23331c3808783e5d15124ac73cd55d76482e04e9953b834 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.