Issued:
2020-02-25
Updated:
2020-02-25

RHSA-2020:0602 - Security Advisory

Synopsis

Important: rh-nodejs12-nodejs security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.16.1).

Security Fix(es):

  • nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605)
  • nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604)
  • nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606)
  • npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775)
  • npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776)
  • npm: Global node_modules Binary Overwrite (CVE-2019-16777)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7 ppc64le
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.6 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.6 ppc64le
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.5 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.5 ppc64le
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
  • Red Hat Software Collections (for RHEL Server for ARM) 1 aarch64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

Fixes

  • BZ - 1788301 - CVE-2019-16777 npm: Global node_modules Binary Overwrite
  • BZ - 1788305 - CVE-2019-16775 npm: Symlink reference outside of node_modules folder through the bin field upon installation
  • BZ - 1788310 - CVE-2019-16776 npm: Arbitrary file write via constructed entry in the package.json bin field
  • BZ - 1800364 - CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encoding header
  • BZ - 1800366 - CVE-2019-15606 nodejs: HTTP header values do not have trailing optional whitespace trimmed
  • BZ - 1800367 - CVE-2019-15604 nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
x86_64
rh-nodejs12-nodejs-12.16.1-1.el7.x86_64.rpm SHA-256: efbb154dc07cb3d137e049557b984791d8c520f43609bed8880951e4ba9c5d14
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.x86_64.rpm SHA-256: 0cc5d0e797292c4c7022ef45158f1b513d12fdacd8bc1f382a60789442c9da8a
rh-nodejs12-nodejs-devel-12.16.1-1.el7.x86_64.rpm SHA-256: 337f526ca357c11859331362c0cc49052a809f3ff0efc8387818825f0aa363e1
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.x86_64.rpm SHA-256: cfa4ce2a3059ef905a1de14087713db10672743eed0198355c8f66dfdf8af4d5

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
s390x
rh-nodejs12-nodejs-12.16.1-1.el7.s390x.rpm SHA-256: 8da4db10286d6c311d1269e265d3d18779d603b6ecdc98710b66dab3e1a3d85c
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.s390x.rpm SHA-256: 26acda09b7de25883e68ee04c26d3361fba6e546c524d15bd297fdba5621c1fc
rh-nodejs12-nodejs-devel-12.16.1-1.el7.s390x.rpm SHA-256: 068ed4915f751d92704cadcba9aa67a633fc80dd81e2a904b38a455e94b43751
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.s390x.rpm SHA-256: 7f4f297a75a30478dfed0ea94e1748c10640dc48026901e54ecf3b76ee1b76c6

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
ppc64le
rh-nodejs12-nodejs-12.16.1-1.el7.ppc64le.rpm SHA-256: 819cebd882cd0b941a0ec6da736589d57eca1ea94e6ac3a49b63afacd6429237
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.ppc64le.rpm SHA-256: 020ef925d358673335495a64254e3640aa78c026ef53062ac7af8ad09846233b
rh-nodejs12-nodejs-devel-12.16.1-1.el7.ppc64le.rpm SHA-256: 2a3ebda2ab99f9799c74c60d3b88392c3618b728ff009a103ddfc3dabe0e2392
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.ppc64le.rpm SHA-256: b85b2b12fed94bc767e989d29b5635ac5545ca573d1afff5a5552daa9a7f72b3

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
x86_64
rh-nodejs12-nodejs-12.16.1-1.el7.x86_64.rpm SHA-256: efbb154dc07cb3d137e049557b984791d8c520f43609bed8880951e4ba9c5d14
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.x86_64.rpm SHA-256: 0cc5d0e797292c4c7022ef45158f1b513d12fdacd8bc1f382a60789442c9da8a
rh-nodejs12-nodejs-devel-12.16.1-1.el7.x86_64.rpm SHA-256: 337f526ca357c11859331362c0cc49052a809f3ff0efc8387818825f0aa363e1
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.x86_64.rpm SHA-256: cfa4ce2a3059ef905a1de14087713db10672743eed0198355c8f66dfdf8af4d5

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.6

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
s390x
rh-nodejs12-nodejs-12.16.1-1.el7.s390x.rpm SHA-256: 8da4db10286d6c311d1269e265d3d18779d603b6ecdc98710b66dab3e1a3d85c
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.s390x.rpm SHA-256: 26acda09b7de25883e68ee04c26d3361fba6e546c524d15bd297fdba5621c1fc
rh-nodejs12-nodejs-devel-12.16.1-1.el7.s390x.rpm SHA-256: 068ed4915f751d92704cadcba9aa67a633fc80dd81e2a904b38a455e94b43751
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.s390x.rpm SHA-256: 7f4f297a75a30478dfed0ea94e1748c10640dc48026901e54ecf3b76ee1b76c6

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.6

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
ppc64le
rh-nodejs12-nodejs-12.16.1-1.el7.ppc64le.rpm SHA-256: 819cebd882cd0b941a0ec6da736589d57eca1ea94e6ac3a49b63afacd6429237
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.ppc64le.rpm SHA-256: 020ef925d358673335495a64254e3640aa78c026ef53062ac7af8ad09846233b
rh-nodejs12-nodejs-devel-12.16.1-1.el7.ppc64le.rpm SHA-256: 2a3ebda2ab99f9799c74c60d3b88392c3618b728ff009a103ddfc3dabe0e2392
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.ppc64le.rpm SHA-256: b85b2b12fed94bc767e989d29b5635ac5545ca573d1afff5a5552daa9a7f72b3

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
x86_64
rh-nodejs12-nodejs-12.16.1-1.el7.x86_64.rpm SHA-256: efbb154dc07cb3d137e049557b984791d8c520f43609bed8880951e4ba9c5d14
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.x86_64.rpm SHA-256: 0cc5d0e797292c4c7022ef45158f1b513d12fdacd8bc1f382a60789442c9da8a
rh-nodejs12-nodejs-devel-12.16.1-1.el7.x86_64.rpm SHA-256: 337f526ca357c11859331362c0cc49052a809f3ff0efc8387818825f0aa363e1
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.x86_64.rpm SHA-256: cfa4ce2a3059ef905a1de14087713db10672743eed0198355c8f66dfdf8af4d5

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.5

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
s390x
rh-nodejs12-nodejs-12.16.1-1.el7.s390x.rpm SHA-256: 8da4db10286d6c311d1269e265d3d18779d603b6ecdc98710b66dab3e1a3d85c
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.s390x.rpm SHA-256: 26acda09b7de25883e68ee04c26d3361fba6e546c524d15bd297fdba5621c1fc
rh-nodejs12-nodejs-devel-12.16.1-1.el7.s390x.rpm SHA-256: 068ed4915f751d92704cadcba9aa67a633fc80dd81e2a904b38a455e94b43751
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.s390x.rpm SHA-256: 7f4f297a75a30478dfed0ea94e1748c10640dc48026901e54ecf3b76ee1b76c6

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.5

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
ppc64le
rh-nodejs12-nodejs-12.16.1-1.el7.ppc64le.rpm SHA-256: 819cebd882cd0b941a0ec6da736589d57eca1ea94e6ac3a49b63afacd6429237
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.ppc64le.rpm SHA-256: 020ef925d358673335495a64254e3640aa78c026ef53062ac7af8ad09846233b
rh-nodejs12-nodejs-devel-12.16.1-1.el7.ppc64le.rpm SHA-256: 2a3ebda2ab99f9799c74c60d3b88392c3618b728ff009a103ddfc3dabe0e2392
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.ppc64le.rpm SHA-256: b85b2b12fed94bc767e989d29b5635ac5545ca573d1afff5a5552daa9a7f72b3

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
x86_64
rh-nodejs12-nodejs-12.16.1-1.el7.x86_64.rpm SHA-256: efbb154dc07cb3d137e049557b984791d8c520f43609bed8880951e4ba9c5d14
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.x86_64.rpm SHA-256: 0cc5d0e797292c4c7022ef45158f1b513d12fdacd8bc1f382a60789442c9da8a
rh-nodejs12-nodejs-devel-12.16.1-1.el7.x86_64.rpm SHA-256: 337f526ca357c11859331362c0cc49052a809f3ff0efc8387818825f0aa363e1
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.x86_64.rpm SHA-256: cfa4ce2a3059ef905a1de14087713db10672743eed0198355c8f66dfdf8af4d5

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
s390x
rh-nodejs12-nodejs-12.16.1-1.el7.s390x.rpm SHA-256: 8da4db10286d6c311d1269e265d3d18779d603b6ecdc98710b66dab3e1a3d85c
rh-nodejs12-nodejs-12.16.1-1.el7.s390x.rpm SHA-256: 8da4db10286d6c311d1269e265d3d18779d603b6ecdc98710b66dab3e1a3d85c
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.s390x.rpm SHA-256: 26acda09b7de25883e68ee04c26d3361fba6e546c524d15bd297fdba5621c1fc
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.s390x.rpm SHA-256: 26acda09b7de25883e68ee04c26d3361fba6e546c524d15bd297fdba5621c1fc
rh-nodejs12-nodejs-devel-12.16.1-1.el7.s390x.rpm SHA-256: 068ed4915f751d92704cadcba9aa67a633fc80dd81e2a904b38a455e94b43751
rh-nodejs12-nodejs-devel-12.16.1-1.el7.s390x.rpm SHA-256: 068ed4915f751d92704cadcba9aa67a633fc80dd81e2a904b38a455e94b43751
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.s390x.rpm SHA-256: 7f4f297a75a30478dfed0ea94e1748c10640dc48026901e54ecf3b76ee1b76c6
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.s390x.rpm SHA-256: 7f4f297a75a30478dfed0ea94e1748c10640dc48026901e54ecf3b76ee1b76c6

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
ppc64le
rh-nodejs12-nodejs-12.16.1-1.el7.ppc64le.rpm SHA-256: 819cebd882cd0b941a0ec6da736589d57eca1ea94e6ac3a49b63afacd6429237
rh-nodejs12-nodejs-12.16.1-1.el7.ppc64le.rpm SHA-256: 819cebd882cd0b941a0ec6da736589d57eca1ea94e6ac3a49b63afacd6429237
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.ppc64le.rpm SHA-256: 020ef925d358673335495a64254e3640aa78c026ef53062ac7af8ad09846233b
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.ppc64le.rpm SHA-256: 020ef925d358673335495a64254e3640aa78c026ef53062ac7af8ad09846233b
rh-nodejs12-nodejs-devel-12.16.1-1.el7.ppc64le.rpm SHA-256: 2a3ebda2ab99f9799c74c60d3b88392c3618b728ff009a103ddfc3dabe0e2392
rh-nodejs12-nodejs-devel-12.16.1-1.el7.ppc64le.rpm SHA-256: 2a3ebda2ab99f9799c74c60d3b88392c3618b728ff009a103ddfc3dabe0e2392
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.ppc64le.rpm SHA-256: b85b2b12fed94bc767e989d29b5635ac5545ca573d1afff5a5552daa9a7f72b3
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.ppc64le.rpm SHA-256: b85b2b12fed94bc767e989d29b5635ac5545ca573d1afff5a5552daa9a7f72b3

Red Hat Software Collections (for RHEL Server for ARM) 1

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
aarch64
rh-nodejs12-nodejs-12.16.1-1.el7.aarch64.rpm SHA-256: f4b67ee0b2db143c79f1f9f049d06bae94100101323f4a83ab83465828340ae8
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.aarch64.rpm SHA-256: a2e411c0197a42215feb4dffd7052b605e68740c9bf140bead8abfa3ea115fbd
rh-nodejs12-nodejs-devel-12.16.1-1.el7.aarch64.rpm SHA-256: b7edcf16c7b1a3862a34d1de42a830ba865fe95d9e4073e3002bfec674f7a0f9
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.aarch64.rpm SHA-256: a03e27bb84011e2fd2f2e9f66b46d6aab571d627f8e54f45fdba6120dc29d46f

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
x86_64
rh-nodejs12-nodejs-12.16.1-1.el7.x86_64.rpm SHA-256: efbb154dc07cb3d137e049557b984791d8c520f43609bed8880951e4ba9c5d14
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.x86_64.rpm SHA-256: 0cc5d0e797292c4c7022ef45158f1b513d12fdacd8bc1f382a60789442c9da8a
rh-nodejs12-nodejs-devel-12.16.1-1.el7.x86_64.rpm SHA-256: 337f526ca357c11859331362c0cc49052a809f3ff0efc8387818825f0aa363e1
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.x86_64.rpm SHA-256: cfa4ce2a3059ef905a1de14087713db10672743eed0198355c8f66dfdf8af4d5

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.