- Issued:
- 2017-10-18
- Updated:
- 2017-10-18
RHSA-2017:2912 - Security Advisory
Synopsis
Moderate: rh-nodejs4-nodejs-tough-cookie security update
Type/Severity
Security Advisory: Moderate
Topic
An update for rh-nodejs4-nodejs-tough-cookie is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Tough-Cookie is a Node.js module that offers RFC6265 Cookies and Cookie Jar.
The following packages have been upgraded to a later upstream version: rh-nodejs4-nodejs-tough-cookie (2.3.3). (BZ#1497695)
Security Fix(es):
- Regular expression denial of service flaws were found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse a sufficiently large HTTP request Cookie header could cause the application to consume an excessive amount of CPU. (CVE-2016-1000232, CVE-2017-15010)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
Fixes
- BZ - 1359818 - CVE-2016-1000232 nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons
- BZ - 1493989 - CVE-2017-15010 nodejs-tough-cookie: Regular expression denial of service
CVEs
References
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5
| SRPM | |
|---|---|
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el7.src.rpm | SHA-256: 733d637f34e42ac9f1460b2a10d5f0351a07ad5e2d369bb98f2fa5d84ac5b1e5 |
| x86_64 | |
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el7.noarch.rpm | SHA-256: 7c4ca0d1e0ea3d2926c188d73d1f04ffb7bf8cc9d81af104798fbcbce2c62f55 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4
| SRPM | |
|---|---|
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el7.src.rpm | SHA-256: 733d637f34e42ac9f1460b2a10d5f0351a07ad5e2d369bb98f2fa5d84ac5b1e5 |
| x86_64 | |
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el7.noarch.rpm | SHA-256: 7c4ca0d1e0ea3d2926c188d73d1f04ffb7bf8cc9d81af104798fbcbce2c62f55 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3
| SRPM | |
|---|---|
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el7.src.rpm | SHA-256: 733d637f34e42ac9f1460b2a10d5f0351a07ad5e2d369bb98f2fa5d84ac5b1e5 |
| x86_64 | |
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el7.noarch.rpm | SHA-256: 7c4ca0d1e0ea3d2926c188d73d1f04ffb7bf8cc9d81af104798fbcbce2c62f55 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el7.src.rpm | SHA-256: 733d637f34e42ac9f1460b2a10d5f0351a07ad5e2d369bb98f2fa5d84ac5b1e5 |
| x86_64 | |
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el7.noarch.rpm | SHA-256: 7c4ca0d1e0ea3d2926c188d73d1f04ffb7bf8cc9d81af104798fbcbce2c62f55 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7
| SRPM | |
|---|---|
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el6.src.rpm | SHA-256: 79dca61b6945dc74e3600d86ae7e6cf0a1352f2d8bf74fe6436b6df95b54d638 |
| x86_64 | |
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el6.noarch.rpm | SHA-256: 680b131c8949267739969aa4dc4f91f4f2dad7d6f38e8aa3360cf362445ac058 |
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6
| SRPM | |
|---|---|
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el6.src.rpm | SHA-256: 79dca61b6945dc74e3600d86ae7e6cf0a1352f2d8bf74fe6436b6df95b54d638 |
| x86_64 | |
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el6.noarch.rpm | SHA-256: 680b131c8949267739969aa4dc4f91f4f2dad7d6f38e8aa3360cf362445ac058 |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el7.src.rpm | SHA-256: 733d637f34e42ac9f1460b2a10d5f0351a07ad5e2d369bb98f2fa5d84ac5b1e5 |
| x86_64 | |
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el7.noarch.rpm | SHA-256: 7c4ca0d1e0ea3d2926c188d73d1f04ffb7bf8cc9d81af104798fbcbce2c62f55 |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6
| SRPM | |
|---|---|
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el6.src.rpm | SHA-256: 79dca61b6945dc74e3600d86ae7e6cf0a1352f2d8bf74fe6436b6df95b54d638 |
| x86_64 | |
| rh-nodejs4-nodejs-tough-cookie-2.3.3-2.el6.noarch.rpm | SHA-256: 680b131c8949267739969aa4dc4f91f4f2dad7d6f38e8aa3360cf362445ac058 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.