RHSA-2020:0602 - Security Advisory

Overview
Updated Packages

Synopsis

Important: rh-nodejs12-nodejs security update

Type/Severity

Security Advisory: Important

Topic

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.16.1).

Security Fix(es):

nodejs: HTTP request smuggling using malformed Transfer-Encoding header (CVE-2019-15605)
nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string (CVE-2019-15604)
nodejs: HTTP header values do not have trailing optional whitespace trimmed (CVE-2019-15606)
npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775)
npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776)
npm: Global node_modules Binary Overwrite (CVE-2019-16777)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7 s390x
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7 ppc64le
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6 x86_64
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.6 s390x
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.6 ppc64le
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.5 s390x
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.5 ppc64le
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
Red Hat Software Collections (for RHEL Server for ARM) 1 aarch64
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

Fixes

BZ - 1788301 - CVE-2019-16777 npm: Global node_modules Binary Overwrite
BZ - 1788305 - CVE-2019-16775 npm: Symlink reference outside of node_modules folder through the bin field upon installation
BZ - 1788310 - CVE-2019-16776 npm: Arbitrary file write via constructed entry in the package.json bin field
BZ - 1800364 - CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encoding header
BZ - 1800366 - CVE-2019-15606 nodejs: HTTP header values do not have trailing optional whitespace trimmed
BZ - 1800367 - CVE-2019-15604 nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
x86_64
rh-nodejs12-nodejs-12.16.1-1.el7.x86_64.rpm	SHA-256: efbb154dc07cb3d137e049557b984791d8c520f43609bed8880951e4ba9c5d14
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.x86_64.rpm	SHA-256: 0cc5d0e797292c4c7022ef45158f1b513d12fdacd8bc1f382a60789442c9da8a
rh-nodejs12-nodejs-devel-12.16.1-1.el7.x86_64.rpm	SHA-256: 337f526ca357c11859331362c0cc49052a809f3ff0efc8387818825f0aa363e1
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.x86_64.rpm	SHA-256: cfa4ce2a3059ef905a1de14087713db10672743eed0198355c8f66dfdf8af4d5

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
s390x
rh-nodejs12-nodejs-12.16.1-1.el7.s390x.rpm	SHA-256: 8da4db10286d6c311d1269e265d3d18779d603b6ecdc98710b66dab3e1a3d85c
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.s390x.rpm	SHA-256: 26acda09b7de25883e68ee04c26d3361fba6e546c524d15bd297fdba5621c1fc
rh-nodejs12-nodejs-devel-12.16.1-1.el7.s390x.rpm	SHA-256: 068ed4915f751d92704cadcba9aa67a633fc80dd81e2a904b38a455e94b43751
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.s390x.rpm	SHA-256: 7f4f297a75a30478dfed0ea94e1748c10640dc48026901e54ecf3b76ee1b76c6

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
ppc64le
rh-nodejs12-nodejs-12.16.1-1.el7.ppc64le.rpm	SHA-256: 819cebd882cd0b941a0ec6da736589d57eca1ea94e6ac3a49b63afacd6429237
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.ppc64le.rpm	SHA-256: 020ef925d358673335495a64254e3640aa78c026ef53062ac7af8ad09846233b
rh-nodejs12-nodejs-devel-12.16.1-1.el7.ppc64le.rpm	SHA-256: 2a3ebda2ab99f9799c74c60d3b88392c3618b728ff009a103ddfc3dabe0e2392
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.ppc64le.rpm	SHA-256: b85b2b12fed94bc767e989d29b5635ac5545ca573d1afff5a5552daa9a7f72b3

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
x86_64
rh-nodejs12-nodejs-12.16.1-1.el7.x86_64.rpm	SHA-256: efbb154dc07cb3d137e049557b984791d8c520f43609bed8880951e4ba9c5d14
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.x86_64.rpm	SHA-256: 0cc5d0e797292c4c7022ef45158f1b513d12fdacd8bc1f382a60789442c9da8a
rh-nodejs12-nodejs-devel-12.16.1-1.el7.x86_64.rpm	SHA-256: 337f526ca357c11859331362c0cc49052a809f3ff0efc8387818825f0aa363e1
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.x86_64.rpm	SHA-256: cfa4ce2a3059ef905a1de14087713db10672743eed0198355c8f66dfdf8af4d5

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.6

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
s390x
rh-nodejs12-nodejs-12.16.1-1.el7.s390x.rpm	SHA-256: 8da4db10286d6c311d1269e265d3d18779d603b6ecdc98710b66dab3e1a3d85c
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.s390x.rpm	SHA-256: 26acda09b7de25883e68ee04c26d3361fba6e546c524d15bd297fdba5621c1fc
rh-nodejs12-nodejs-devel-12.16.1-1.el7.s390x.rpm	SHA-256: 068ed4915f751d92704cadcba9aa67a633fc80dd81e2a904b38a455e94b43751
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.s390x.rpm	SHA-256: 7f4f297a75a30478dfed0ea94e1748c10640dc48026901e54ecf3b76ee1b76c6

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.6

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
ppc64le
rh-nodejs12-nodejs-12.16.1-1.el7.ppc64le.rpm	SHA-256: 819cebd882cd0b941a0ec6da736589d57eca1ea94e6ac3a49b63afacd6429237
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.ppc64le.rpm	SHA-256: 020ef925d358673335495a64254e3640aa78c026ef53062ac7af8ad09846233b
rh-nodejs12-nodejs-devel-12.16.1-1.el7.ppc64le.rpm	SHA-256: 2a3ebda2ab99f9799c74c60d3b88392c3618b728ff009a103ddfc3dabe0e2392
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.ppc64le.rpm	SHA-256: b85b2b12fed94bc767e989d29b5635ac5545ca573d1afff5a5552daa9a7f72b3

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
x86_64
rh-nodejs12-nodejs-12.16.1-1.el7.x86_64.rpm	SHA-256: efbb154dc07cb3d137e049557b984791d8c520f43609bed8880951e4ba9c5d14
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.x86_64.rpm	SHA-256: 0cc5d0e797292c4c7022ef45158f1b513d12fdacd8bc1f382a60789442c9da8a
rh-nodejs12-nodejs-devel-12.16.1-1.el7.x86_64.rpm	SHA-256: 337f526ca357c11859331362c0cc49052a809f3ff0efc8387818825f0aa363e1
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.x86_64.rpm	SHA-256: cfa4ce2a3059ef905a1de14087713db10672743eed0198355c8f66dfdf8af4d5

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.5

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
s390x
rh-nodejs12-nodejs-12.16.1-1.el7.s390x.rpm	SHA-256: 8da4db10286d6c311d1269e265d3d18779d603b6ecdc98710b66dab3e1a3d85c
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.s390x.rpm	SHA-256: 26acda09b7de25883e68ee04c26d3361fba6e546c524d15bd297fdba5621c1fc
rh-nodejs12-nodejs-devel-12.16.1-1.el7.s390x.rpm	SHA-256: 068ed4915f751d92704cadcba9aa67a633fc80dd81e2a904b38a455e94b43751
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.s390x.rpm	SHA-256: 7f4f297a75a30478dfed0ea94e1748c10640dc48026901e54ecf3b76ee1b76c6

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.5

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
ppc64le
rh-nodejs12-nodejs-12.16.1-1.el7.ppc64le.rpm	SHA-256: 819cebd882cd0b941a0ec6da736589d57eca1ea94e6ac3a49b63afacd6429237
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.ppc64le.rpm	SHA-256: 020ef925d358673335495a64254e3640aa78c026ef53062ac7af8ad09846233b
rh-nodejs12-nodejs-devel-12.16.1-1.el7.ppc64le.rpm	SHA-256: 2a3ebda2ab99f9799c74c60d3b88392c3618b728ff009a103ddfc3dabe0e2392
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.ppc64le.rpm	SHA-256: b85b2b12fed94bc767e989d29b5635ac5545ca573d1afff5a5552daa9a7f72b3

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
x86_64
rh-nodejs12-nodejs-12.16.1-1.el7.x86_64.rpm	SHA-256: efbb154dc07cb3d137e049557b984791d8c520f43609bed8880951e4ba9c5d14
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.x86_64.rpm	SHA-256: 0cc5d0e797292c4c7022ef45158f1b513d12fdacd8bc1f382a60789442c9da8a
rh-nodejs12-nodejs-devel-12.16.1-1.el7.x86_64.rpm	SHA-256: 337f526ca357c11859331362c0cc49052a809f3ff0efc8387818825f0aa363e1
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.x86_64.rpm	SHA-256: cfa4ce2a3059ef905a1de14087713db10672743eed0198355c8f66dfdf8af4d5

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
s390x
rh-nodejs12-nodejs-12.16.1-1.el7.s390x.rpm	SHA-256: 8da4db10286d6c311d1269e265d3d18779d603b6ecdc98710b66dab3e1a3d85c
rh-nodejs12-nodejs-12.16.1-1.el7.s390x.rpm	SHA-256: 8da4db10286d6c311d1269e265d3d18779d603b6ecdc98710b66dab3e1a3d85c
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.s390x.rpm	SHA-256: 26acda09b7de25883e68ee04c26d3361fba6e546c524d15bd297fdba5621c1fc
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.s390x.rpm	SHA-256: 26acda09b7de25883e68ee04c26d3361fba6e546c524d15bd297fdba5621c1fc
rh-nodejs12-nodejs-devel-12.16.1-1.el7.s390x.rpm	SHA-256: 068ed4915f751d92704cadcba9aa67a633fc80dd81e2a904b38a455e94b43751
rh-nodejs12-nodejs-devel-12.16.1-1.el7.s390x.rpm	SHA-256: 068ed4915f751d92704cadcba9aa67a633fc80dd81e2a904b38a455e94b43751
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.s390x.rpm	SHA-256: 7f4f297a75a30478dfed0ea94e1748c10640dc48026901e54ecf3b76ee1b76c6
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.s390x.rpm	SHA-256: 7f4f297a75a30478dfed0ea94e1748c10640dc48026901e54ecf3b76ee1b76c6

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
ppc64le
rh-nodejs12-nodejs-12.16.1-1.el7.ppc64le.rpm	SHA-256: 819cebd882cd0b941a0ec6da736589d57eca1ea94e6ac3a49b63afacd6429237
rh-nodejs12-nodejs-12.16.1-1.el7.ppc64le.rpm	SHA-256: 819cebd882cd0b941a0ec6da736589d57eca1ea94e6ac3a49b63afacd6429237
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.ppc64le.rpm	SHA-256: 020ef925d358673335495a64254e3640aa78c026ef53062ac7af8ad09846233b
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.ppc64le.rpm	SHA-256: 020ef925d358673335495a64254e3640aa78c026ef53062ac7af8ad09846233b
rh-nodejs12-nodejs-devel-12.16.1-1.el7.ppc64le.rpm	SHA-256: 2a3ebda2ab99f9799c74c60d3b88392c3618b728ff009a103ddfc3dabe0e2392
rh-nodejs12-nodejs-devel-12.16.1-1.el7.ppc64le.rpm	SHA-256: 2a3ebda2ab99f9799c74c60d3b88392c3618b728ff009a103ddfc3dabe0e2392
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.ppc64le.rpm	SHA-256: b85b2b12fed94bc767e989d29b5635ac5545ca573d1afff5a5552daa9a7f72b3
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.ppc64le.rpm	SHA-256: b85b2b12fed94bc767e989d29b5635ac5545ca573d1afff5a5552daa9a7f72b3

Red Hat Software Collections (for RHEL Server for ARM) 1

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
aarch64
rh-nodejs12-nodejs-12.16.1-1.el7.aarch64.rpm	SHA-256: f4b67ee0b2db143c79f1f9f049d06bae94100101323f4a83ab83465828340ae8
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.aarch64.rpm	SHA-256: a2e411c0197a42215feb4dffd7052b605e68740c9bf140bead8abfa3ea115fbd
rh-nodejs12-nodejs-devel-12.16.1-1.el7.aarch64.rpm	SHA-256: b7edcf16c7b1a3862a34d1de42a830ba865fe95d9e4073e3002bfec674f7a0f9
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.aarch64.rpm	SHA-256: a03e27bb84011e2fd2f2e9f66b46d6aab571d627f8e54f45fdba6120dc29d46f

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.16.1-1.el7.src.rpm	SHA-256: 65c0a9fbc02ede430f31ee32a3e895d5996f1ed1e99fe1819d045aab975f1bb3
x86_64
rh-nodejs12-nodejs-12.16.1-1.el7.x86_64.rpm	SHA-256: efbb154dc07cb3d137e049557b984791d8c520f43609bed8880951e4ba9c5d14
rh-nodejs12-nodejs-debuginfo-12.16.1-1.el7.x86_64.rpm	SHA-256: 0cc5d0e797292c4c7022ef45158f1b513d12fdacd8bc1f382a60789442c9da8a
rh-nodejs12-nodejs-devel-12.16.1-1.el7.x86_64.rpm	SHA-256: 337f526ca357c11859331362c0cc49052a809f3ff0efc8387818825f0aa363e1
rh-nodejs12-nodejs-docs-12.16.1-1.el7.noarch.rpm	SHA-256: b1381e2031128d81beb7becc28a0f94089b73374ddf61771659856b19227f36a
rh-nodejs12-npm-6.13.4-12.16.1.1.el7.x86_64.rpm	SHA-256: cfa4ce2a3059ef905a1de14087713db10672743eed0198355c8f66dfdf8af4d5

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.