Issued:
2021-02-11
Updated:
2021-02-11

RHSA-2021:0485 - Security Advisory

Synopsis

Moderate: rh-nodejs12-nodejs security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.20.1), rh-nodejs12-nodejs-nodemon (2.0.3).

Security Fix(es):

  • nodejs-mixin-deep: prototype pollution in function mixin-deep (CVE-2019-10746)
  • nodejs-set-value: prototype pollution in function set-value (CVE-2019-10747)
  • nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754)
  • nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)
  • nodejs: use-after-free in the TLS implementation (CVE-2020-8265)
  • nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7 ppc64le
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.6 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.6 ppc64le
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

Fixes

  • BZ - 1795475 - CVE-2019-10746 nodejs-mixin-deep: prototype pollution in function mixin-deep
  • BZ - 1795479 - CVE-2019-10747 nodejs-set-value: prototype pollution in function set-value
  • BZ - 1892430 - CVE-2020-7754 nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS
  • BZ - 1907444 - CVE-2020-7788 nodejs-ini: prototype pollution via malicious INI file
  • BZ - 1912854 - CVE-2020-8265 nodejs: use-after-free in the TLS implementation
  • BZ - 1912863 - CVE-2020-8287 nodejs: HTTP request smuggling via two copies of a header field in an http request

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm SHA-256: 572a5faaf00c4813d45bbdd21b7e64f848bd554d7e921523ea86ebb5de731f4c
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm SHA-256: aea519249e91108ace38189dc8f886ffdfae4a2070e2d7017805d6d72eacd454
x86_64
rh-nodejs12-nodejs-12.20.1-1.el7.x86_64.rpm SHA-256: ca45552b91b39420e3f5c12ff7e8677ba9f81e58e51f60b7f77b0437aaa44796
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.x86_64.rpm SHA-256: 98d9efee471ef9ff37cf068b06b15c57e1269312a527fdef5d5d5dbf4717aa51
rh-nodejs12-nodejs-devel-12.20.1-1.el7.x86_64.rpm SHA-256: deba32b8937b8ea1e06dd0c4f4720e24563917bda16130be49598d44b1f27fd3
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm SHA-256: 58748485f41fc7aee50b4dc65a5a525ca470f9afdb19ef366c62948e3cb49ca3
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm SHA-256: 7a9200de61075fefff1dcc3f978e26b8780401ad20f6c3638b02c4be0cf81d1c
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.x86_64.rpm SHA-256: 04c69e2fb368d3371428e6e0d3f0939f889bcc779b6716d06e86ef83870acec1

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm SHA-256: 572a5faaf00c4813d45bbdd21b7e64f848bd554d7e921523ea86ebb5de731f4c
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm SHA-256: aea519249e91108ace38189dc8f886ffdfae4a2070e2d7017805d6d72eacd454
s390x
rh-nodejs12-nodejs-12.20.1-1.el7.s390x.rpm SHA-256: 0dba81bf36a78a94f486a5be31358a6316dc7e21cd9c4acc632ed09e8b98935d
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.s390x.rpm SHA-256: 676304841b2bee70effde4b5a7cfe36fcecd74d685675eaf61f63d42598c36bc
rh-nodejs12-nodejs-devel-12.20.1-1.el7.s390x.rpm SHA-256: 2ffcdbd72bd9191c9130dddf394499089934301ec8606c392e8d99e36c22094a
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm SHA-256: 58748485f41fc7aee50b4dc65a5a525ca470f9afdb19ef366c62948e3cb49ca3
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm SHA-256: 7a9200de61075fefff1dcc3f978e26b8780401ad20f6c3638b02c4be0cf81d1c
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.s390x.rpm SHA-256: 172f2249f1f6655bcae900753df9b4a74de424bad2bcb985f6d37c6e7a74a1bf

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm SHA-256: 572a5faaf00c4813d45bbdd21b7e64f848bd554d7e921523ea86ebb5de731f4c
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm SHA-256: aea519249e91108ace38189dc8f886ffdfae4a2070e2d7017805d6d72eacd454
ppc64le
rh-nodejs12-nodejs-12.20.1-1.el7.ppc64le.rpm SHA-256: 82cc973b9dfbdae0e5408ed0d3902a323cb36dd5c62320fee43780d135e11b25
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.ppc64le.rpm SHA-256: 5030be6e6419329eda820ebb0e316007061ca883ee552e51839536e56f996f6c
rh-nodejs12-nodejs-devel-12.20.1-1.el7.ppc64le.rpm SHA-256: c51de9fe43188415e13fa2b422ddcf253ce4ceb3fc299f69c53e4cf0697e3822
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm SHA-256: 58748485f41fc7aee50b4dc65a5a525ca470f9afdb19ef366c62948e3cb49ca3
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm SHA-256: 7a9200de61075fefff1dcc3f978e26b8780401ad20f6c3638b02c4be0cf81d1c
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.ppc64le.rpm SHA-256: 894fdb18738819c1abc119f9c8e2b2e1cf5fdacba294ed79f6a4f34931e52954

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6

SRPM
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm SHA-256: 572a5faaf00c4813d45bbdd21b7e64f848bd554d7e921523ea86ebb5de731f4c
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm SHA-256: aea519249e91108ace38189dc8f886ffdfae4a2070e2d7017805d6d72eacd454
x86_64
rh-nodejs12-nodejs-12.20.1-1.el7.x86_64.rpm SHA-256: ca45552b91b39420e3f5c12ff7e8677ba9f81e58e51f60b7f77b0437aaa44796
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.x86_64.rpm SHA-256: 98d9efee471ef9ff37cf068b06b15c57e1269312a527fdef5d5d5dbf4717aa51
rh-nodejs12-nodejs-devel-12.20.1-1.el7.x86_64.rpm SHA-256: deba32b8937b8ea1e06dd0c4f4720e24563917bda16130be49598d44b1f27fd3
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm SHA-256: 58748485f41fc7aee50b4dc65a5a525ca470f9afdb19ef366c62948e3cb49ca3
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm SHA-256: 7a9200de61075fefff1dcc3f978e26b8780401ad20f6c3638b02c4be0cf81d1c
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.x86_64.rpm SHA-256: 04c69e2fb368d3371428e6e0d3f0939f889bcc779b6716d06e86ef83870acec1

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.6

SRPM
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm SHA-256: 572a5faaf00c4813d45bbdd21b7e64f848bd554d7e921523ea86ebb5de731f4c
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm SHA-256: aea519249e91108ace38189dc8f886ffdfae4a2070e2d7017805d6d72eacd454
s390x
rh-nodejs12-nodejs-12.20.1-1.el7.s390x.rpm SHA-256: 0dba81bf36a78a94f486a5be31358a6316dc7e21cd9c4acc632ed09e8b98935d
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.s390x.rpm SHA-256: 676304841b2bee70effde4b5a7cfe36fcecd74d685675eaf61f63d42598c36bc
rh-nodejs12-nodejs-devel-12.20.1-1.el7.s390x.rpm SHA-256: 2ffcdbd72bd9191c9130dddf394499089934301ec8606c392e8d99e36c22094a
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm SHA-256: 58748485f41fc7aee50b4dc65a5a525ca470f9afdb19ef366c62948e3cb49ca3
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm SHA-256: 7a9200de61075fefff1dcc3f978e26b8780401ad20f6c3638b02c4be0cf81d1c
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.s390x.rpm SHA-256: 172f2249f1f6655bcae900753df9b4a74de424bad2bcb985f6d37c6e7a74a1bf

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.6

SRPM
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm SHA-256: 572a5faaf00c4813d45bbdd21b7e64f848bd554d7e921523ea86ebb5de731f4c
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm SHA-256: aea519249e91108ace38189dc8f886ffdfae4a2070e2d7017805d6d72eacd454
ppc64le
rh-nodejs12-nodejs-12.20.1-1.el7.ppc64le.rpm SHA-256: 82cc973b9dfbdae0e5408ed0d3902a323cb36dd5c62320fee43780d135e11b25
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.ppc64le.rpm SHA-256: 5030be6e6419329eda820ebb0e316007061ca883ee552e51839536e56f996f6c
rh-nodejs12-nodejs-devel-12.20.1-1.el7.ppc64le.rpm SHA-256: c51de9fe43188415e13fa2b422ddcf253ce4ceb3fc299f69c53e4cf0697e3822
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm SHA-256: 58748485f41fc7aee50b4dc65a5a525ca470f9afdb19ef366c62948e3cb49ca3
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm SHA-256: 7a9200de61075fefff1dcc3f978e26b8780401ad20f6c3638b02c4be0cf81d1c
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.ppc64le.rpm SHA-256: 894fdb18738819c1abc119f9c8e2b2e1cf5fdacba294ed79f6a4f34931e52954

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm SHA-256: 572a5faaf00c4813d45bbdd21b7e64f848bd554d7e921523ea86ebb5de731f4c
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm SHA-256: aea519249e91108ace38189dc8f886ffdfae4a2070e2d7017805d6d72eacd454
x86_64
rh-nodejs12-nodejs-12.20.1-1.el7.x86_64.rpm SHA-256: ca45552b91b39420e3f5c12ff7e8677ba9f81e58e51f60b7f77b0437aaa44796
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.x86_64.rpm SHA-256: 98d9efee471ef9ff37cf068b06b15c57e1269312a527fdef5d5d5dbf4717aa51
rh-nodejs12-nodejs-devel-12.20.1-1.el7.x86_64.rpm SHA-256: deba32b8937b8ea1e06dd0c4f4720e24563917bda16130be49598d44b1f27fd3
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm SHA-256: 58748485f41fc7aee50b4dc65a5a525ca470f9afdb19ef366c62948e3cb49ca3
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm SHA-256: 7a9200de61075fefff1dcc3f978e26b8780401ad20f6c3638b02c4be0cf81d1c
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.x86_64.rpm SHA-256: 04c69e2fb368d3371428e6e0d3f0939f889bcc779b6716d06e86ef83870acec1

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm SHA-256: 572a5faaf00c4813d45bbdd21b7e64f848bd554d7e921523ea86ebb5de731f4c
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm SHA-256: aea519249e91108ace38189dc8f886ffdfae4a2070e2d7017805d6d72eacd454
s390x
rh-nodejs12-nodejs-12.20.1-1.el7.s390x.rpm SHA-256: 0dba81bf36a78a94f486a5be31358a6316dc7e21cd9c4acc632ed09e8b98935d
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.s390x.rpm SHA-256: 676304841b2bee70effde4b5a7cfe36fcecd74d685675eaf61f63d42598c36bc
rh-nodejs12-nodejs-devel-12.20.1-1.el7.s390x.rpm SHA-256: 2ffcdbd72bd9191c9130dddf394499089934301ec8606c392e8d99e36c22094a
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm SHA-256: 58748485f41fc7aee50b4dc65a5a525ca470f9afdb19ef366c62948e3cb49ca3
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm SHA-256: 7a9200de61075fefff1dcc3f978e26b8780401ad20f6c3638b02c4be0cf81d1c
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.s390x.rpm SHA-256: 172f2249f1f6655bcae900753df9b4a74de424bad2bcb985f6d37c6e7a74a1bf

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm SHA-256: 572a5faaf00c4813d45bbdd21b7e64f848bd554d7e921523ea86ebb5de731f4c
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm SHA-256: aea519249e91108ace38189dc8f886ffdfae4a2070e2d7017805d6d72eacd454
ppc64le
rh-nodejs12-nodejs-12.20.1-1.el7.ppc64le.rpm SHA-256: 82cc973b9dfbdae0e5408ed0d3902a323cb36dd5c62320fee43780d135e11b25
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.ppc64le.rpm SHA-256: 5030be6e6419329eda820ebb0e316007061ca883ee552e51839536e56f996f6c
rh-nodejs12-nodejs-devel-12.20.1-1.el7.ppc64le.rpm SHA-256: c51de9fe43188415e13fa2b422ddcf253ce4ceb3fc299f69c53e4cf0697e3822
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm SHA-256: 58748485f41fc7aee50b4dc65a5a525ca470f9afdb19ef366c62948e3cb49ca3
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm SHA-256: 7a9200de61075fefff1dcc3f978e26b8780401ad20f6c3638b02c4be0cf81d1c
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.ppc64le.rpm SHA-256: 894fdb18738819c1abc119f9c8e2b2e1cf5fdacba294ed79f6a4f34931e52954

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm SHA-256: 572a5faaf00c4813d45bbdd21b7e64f848bd554d7e921523ea86ebb5de731f4c
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm SHA-256: aea519249e91108ace38189dc8f886ffdfae4a2070e2d7017805d6d72eacd454
x86_64
rh-nodejs12-nodejs-12.20.1-1.el7.x86_64.rpm SHA-256: ca45552b91b39420e3f5c12ff7e8677ba9f81e58e51f60b7f77b0437aaa44796
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.x86_64.rpm SHA-256: 98d9efee471ef9ff37cf068b06b15c57e1269312a527fdef5d5d5dbf4717aa51
rh-nodejs12-nodejs-devel-12.20.1-1.el7.x86_64.rpm SHA-256: deba32b8937b8ea1e06dd0c4f4720e24563917bda16130be49598d44b1f27fd3
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm SHA-256: 58748485f41fc7aee50b4dc65a5a525ca470f9afdb19ef366c62948e3cb49ca3
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm SHA-256: 7a9200de61075fefff1dcc3f978e26b8780401ad20f6c3638b02c4be0cf81d1c
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.x86_64.rpm SHA-256: 04c69e2fb368d3371428e6e0d3f0939f889bcc779b6716d06e86ef83870acec1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.