- Issued:
- 2017-09-07
- Updated:
- 2017-09-07
RHSA-2017:2672 - Security Advisory
Synopsis
Moderate: rh-nodejs6-nodejs-qs security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for rh-nodejs6-nodejs-qs is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The qs module for Node.js is a querystring parser that supports nesting and arrays with a depth limit.
The following packages have been upgraded to a later upstream version: rh-nodejs6-nodejs-qs (6.2.3). (BZ#1485934)
Security Fix(es):
- It was found that ljharb's qs module for Node.js did not properly parse query strings. An attacker could send a specially crafted query that overwrites the resulting object's prototype properties (such as toString() or hasOwnProperty()), resulting in a denial of service when the overwritten function would be executed. (CVE-2017-1000048)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
Fixes
- BZ - 1427872 - CVE-2017-1000048 nodejs-qs: Prototype override protection bypass
CVEs
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7
| SRPM | |
|---|---|
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.src.rpm | SHA-256: 4397f7ce752e92e9e360343f97d9d8c27013366881462b4860fd6fb6b561d5a9 |
| x86_64 | |
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.noarch.rpm | SHA-256: 95abec0501f435ed063b7fcb63aec62f694ff5e7a3b0f7a253c424eeb940a44e |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6
| SRPM | |
|---|---|
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.src.rpm | SHA-256: 4397f7ce752e92e9e360343f97d9d8c27013366881462b4860fd6fb6b561d5a9 |
| x86_64 | |
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.noarch.rpm | SHA-256: 95abec0501f435ed063b7fcb63aec62f694ff5e7a3b0f7a253c424eeb940a44e |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5
| SRPM | |
|---|---|
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.src.rpm | SHA-256: 4397f7ce752e92e9e360343f97d9d8c27013366881462b4860fd6fb6b561d5a9 |
| x86_64 | |
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.noarch.rpm | SHA-256: 95abec0501f435ed063b7fcb63aec62f694ff5e7a3b0f7a253c424eeb940a44e |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4
| SRPM | |
|---|---|
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.src.rpm | SHA-256: 4397f7ce752e92e9e360343f97d9d8c27013366881462b4860fd6fb6b561d5a9 |
| x86_64 | |
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.noarch.rpm | SHA-256: 95abec0501f435ed063b7fcb63aec62f694ff5e7a3b0f7a253c424eeb940a44e |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3
| SRPM | |
|---|---|
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.src.rpm | SHA-256: 4397f7ce752e92e9e360343f97d9d8c27013366881462b4860fd6fb6b561d5a9 |
| x86_64 | |
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.noarch.rpm | SHA-256: 95abec0501f435ed063b7fcb63aec62f694ff5e7a3b0f7a253c424eeb940a44e |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.src.rpm | SHA-256: 4397f7ce752e92e9e360343f97d9d8c27013366881462b4860fd6fb6b561d5a9 |
| x86_64 | |
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.noarch.rpm | SHA-256: 95abec0501f435ed063b7fcb63aec62f694ff5e7a3b0f7a253c424eeb940a44e |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7
| SRPM | |
|---|---|
| rh-nodejs6-nodejs-qs-6.2.3-1.el6.src.rpm | SHA-256: 437e774dafd7e1abd0ad0bb5ad9900426a9b825c31060d24e1bd20aff11c7066 |
| x86_64 | |
| rh-nodejs6-nodejs-qs-6.2.3-1.el6.noarch.rpm | SHA-256: b5b192df4b329bf66d0e3d8eb577a4837a5e10b335fcb75a1c0fb465c140d357 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6
| SRPM | |
|---|---|
| rh-nodejs6-nodejs-qs-6.2.3-1.el6.src.rpm | SHA-256: 437e774dafd7e1abd0ad0bb5ad9900426a9b825c31060d24e1bd20aff11c7066 |
| x86_64 | |
| rh-nodejs6-nodejs-qs-6.2.3-1.el6.noarch.rpm | SHA-256: b5b192df4b329bf66d0e3d8eb577a4837a5e10b335fcb75a1c0fb465c140d357 |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.src.rpm | SHA-256: 4397f7ce752e92e9e360343f97d9d8c27013366881462b4860fd6fb6b561d5a9 |
| x86_64 | |
| rh-nodejs6-nodejs-qs-6.2.3-1.el7.noarch.rpm | SHA-256: 95abec0501f435ed063b7fcb63aec62f694ff5e7a3b0f7a253c424eeb940a44e |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6
| SRPM | |
|---|---|
| rh-nodejs6-nodejs-qs-6.2.3-1.el6.src.rpm | SHA-256: 437e774dafd7e1abd0ad0bb5ad9900426a9b825c31060d24e1bd20aff11c7066 |
| x86_64 | |
| rh-nodejs6-nodejs-qs-6.2.3-1.el6.noarch.rpm | SHA-256: b5b192df4b329bf66d0e3d8eb577a4837a5e10b335fcb75a1c0fb465c140d357 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.