Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2021:3280 - Security Advisory
Issued:
2021-08-26
Updated:
2021-08-26

RHSA-2021:3280 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.17.5).

Security Fix(es):

  • nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930)
  • nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940)
  • nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)
  • nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
  • c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672)
  • nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931)
  • nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803)
  • nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804)
  • nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939)
  • nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7 ppc64le
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

Fixes

  • BZ - 1907444 - CVE-2020-7788 nodejs-ini: Prototype pollution via malicious INI file
  • BZ - 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
  • BZ - 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
  • BZ - 1988342 - CVE-2021-3672 c-ares: Missing input validation of host names may lead to domain hijacking
  • BZ - 1988394 - CVE-2021-22930 nodejs: Use-after-free on close http2 on stream canceling
  • BZ - 1990409 - CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
  • BZ - 1990415 - CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
  • BZ - 1993019 - CVE-2021-22931 nodejs: Improper handling of untypical characters in domain names
  • BZ - 1993029 - CVE-2021-22940 nodejs: Use-after-free on close http2 on stream canceling
  • BZ - 1993039 - CVE-2021-22939 nodejs: Incomplete validation of tls rejectUnauthorized parameter

CVEs

  • CVE-2020-7788
  • CVE-2020-28469
  • CVE-2021-3672
  • CVE-2021-22930
  • CVE-2021-22931
  • CVE-2021-22939
  • CVE-2021-22940
  • CVE-2021-23343
  • CVE-2021-32803
  • CVE-2021-32804

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7

SRPM
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm SHA-256: 79a8b99248eef2b25cfcc13fa73b049e75c14799d85eb9d9e6e40dcf5472be27
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: 2db1153dbefa77931b6cb711e4721e61cffcac218e0b28dfd412c62d0a5f13f1
x86_64
rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm SHA-256: baf26b8d8146aa6f627e231f1ac4ad33eca7152691ba967cae67b7a0487bfec8
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.x86_64.rpm SHA-256: e43e265d8af6cc6a934be0b930f4d6b2ae313104094b23619d183fb7c21c4ad2
rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm SHA-256: 79c4a3934870e135049b415f6fdd41a74158ef422caa682ca70075cdf90e4272
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm SHA-256: d704597cc062c3bb4228641c4b2deb0f16ab25c50552881d27656c00835a2c15
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: c580cc29f4b4df9b96facef84d9618fa702b847857d44a09f5bc7ac6eaecf22c
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm SHA-256: 9eb0b7e958615e1bdc3edb1d2906b62dd3034dc551d0c521031f233457bf7876

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7

SRPM
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm SHA-256: 79a8b99248eef2b25cfcc13fa73b049e75c14799d85eb9d9e6e40dcf5472be27
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: 2db1153dbefa77931b6cb711e4721e61cffcac218e0b28dfd412c62d0a5f13f1
s390x
rh-nodejs14-nodejs-14.17.5-1.el7.s390x.rpm SHA-256: 0d7e0cf4263b1081ee1195641ee4bfb0152a7338dd3fb488157d2b704f0f2a11
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.s390x.rpm SHA-256: 667d4814724248534d0bff2fafde094637f5d02209247537aaae50ea348040e6
rh-nodejs14-nodejs-devel-14.17.5-1.el7.s390x.rpm SHA-256: ed03b8f30769d4d65b0b1cae06bfdaf2f2fcf6637295acc7a99e2c53be617dfd
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm SHA-256: d704597cc062c3bb4228641c4b2deb0f16ab25c50552881d27656c00835a2c15
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: c580cc29f4b4df9b96facef84d9618fa702b847857d44a09f5bc7ac6eaecf22c
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.s390x.rpm SHA-256: 485af1da91708c675b7cdf20f944f49921a3fbb9d0b37d1773dff8ab6e4c2550

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7

SRPM
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm SHA-256: 79a8b99248eef2b25cfcc13fa73b049e75c14799d85eb9d9e6e40dcf5472be27
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: 2db1153dbefa77931b6cb711e4721e61cffcac218e0b28dfd412c62d0a5f13f1
ppc64le
rh-nodejs14-nodejs-14.17.5-1.el7.ppc64le.rpm SHA-256: 00f010625a76d6e3b0442150ba02e972b8aaeb3668b2ed734748f3e46d87a99c
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.ppc64le.rpm SHA-256: f04e8c6a0b1627ccf5fcf11649897390addc47388f80ef038df877d6daa8361f
rh-nodejs14-nodejs-devel-14.17.5-1.el7.ppc64le.rpm SHA-256: 4d8a4f0057ceb4381c2d94d7366a10be821cc55bfbd3043eeb5d85271a3052ca
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm SHA-256: d704597cc062c3bb4228641c4b2deb0f16ab25c50552881d27656c00835a2c15
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: c580cc29f4b4df9b96facef84d9618fa702b847857d44a09f5bc7ac6eaecf22c
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.ppc64le.rpm SHA-256: bf95fd7f36cba430b4f1c3001263102e8751ee2d83538557c20dd30ff4e8c48d

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm SHA-256: 79a8b99248eef2b25cfcc13fa73b049e75c14799d85eb9d9e6e40dcf5472be27
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: 2db1153dbefa77931b6cb711e4721e61cffcac218e0b28dfd412c62d0a5f13f1
x86_64
rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm SHA-256: baf26b8d8146aa6f627e231f1ac4ad33eca7152691ba967cae67b7a0487bfec8
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.x86_64.rpm SHA-256: e43e265d8af6cc6a934be0b930f4d6b2ae313104094b23619d183fb7c21c4ad2
rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm SHA-256: 79c4a3934870e135049b415f6fdd41a74158ef422caa682ca70075cdf90e4272
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm SHA-256: d704597cc062c3bb4228641c4b2deb0f16ab25c50552881d27656c00835a2c15
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: c580cc29f4b4df9b96facef84d9618fa702b847857d44a09f5bc7ac6eaecf22c
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm SHA-256: 9eb0b7e958615e1bdc3edb1d2906b62dd3034dc551d0c521031f233457bf7876

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7

SRPM
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm SHA-256: 79a8b99248eef2b25cfcc13fa73b049e75c14799d85eb9d9e6e40dcf5472be27
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: 2db1153dbefa77931b6cb711e4721e61cffcac218e0b28dfd412c62d0a5f13f1
s390x
rh-nodejs14-nodejs-14.17.5-1.el7.s390x.rpm SHA-256: 0d7e0cf4263b1081ee1195641ee4bfb0152a7338dd3fb488157d2b704f0f2a11
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.s390x.rpm SHA-256: 667d4814724248534d0bff2fafde094637f5d02209247537aaae50ea348040e6
rh-nodejs14-nodejs-devel-14.17.5-1.el7.s390x.rpm SHA-256: ed03b8f30769d4d65b0b1cae06bfdaf2f2fcf6637295acc7a99e2c53be617dfd
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm SHA-256: d704597cc062c3bb4228641c4b2deb0f16ab25c50552881d27656c00835a2c15
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: c580cc29f4b4df9b96facef84d9618fa702b847857d44a09f5bc7ac6eaecf22c
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.s390x.rpm SHA-256: 485af1da91708c675b7cdf20f944f49921a3fbb9d0b37d1773dff8ab6e4c2550

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7

SRPM
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm SHA-256: 79a8b99248eef2b25cfcc13fa73b049e75c14799d85eb9d9e6e40dcf5472be27
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: 2db1153dbefa77931b6cb711e4721e61cffcac218e0b28dfd412c62d0a5f13f1
ppc64le
rh-nodejs14-nodejs-14.17.5-1.el7.ppc64le.rpm SHA-256: 00f010625a76d6e3b0442150ba02e972b8aaeb3668b2ed734748f3e46d87a99c
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.ppc64le.rpm SHA-256: f04e8c6a0b1627ccf5fcf11649897390addc47388f80ef038df877d6daa8361f
rh-nodejs14-nodejs-devel-14.17.5-1.el7.ppc64le.rpm SHA-256: 4d8a4f0057ceb4381c2d94d7366a10be821cc55bfbd3043eeb5d85271a3052ca
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm SHA-256: d704597cc062c3bb4228641c4b2deb0f16ab25c50552881d27656c00835a2c15
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: c580cc29f4b4df9b96facef84d9618fa702b847857d44a09f5bc7ac6eaecf22c
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.ppc64le.rpm SHA-256: bf95fd7f36cba430b4f1c3001263102e8751ee2d83538557c20dd30ff4e8c48d

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
rh-nodejs14-nodejs-14.17.5-1.el7.src.rpm SHA-256: 79a8b99248eef2b25cfcc13fa73b049e75c14799d85eb9d9e6e40dcf5472be27
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: 2db1153dbefa77931b6cb711e4721e61cffcac218e0b28dfd412c62d0a5f13f1
x86_64
rh-nodejs14-nodejs-14.17.5-1.el7.x86_64.rpm SHA-256: baf26b8d8146aa6f627e231f1ac4ad33eca7152691ba967cae67b7a0487bfec8
rh-nodejs14-nodejs-debuginfo-14.17.5-1.el7.x86_64.rpm SHA-256: e43e265d8af6cc6a934be0b930f4d6b2ae313104094b23619d183fb7c21c4ad2
rh-nodejs14-nodejs-devel-14.17.5-1.el7.x86_64.rpm SHA-256: 79c4a3934870e135049b415f6fdd41a74158ef422caa682ca70075cdf90e4272
rh-nodejs14-nodejs-docs-14.17.5-1.el7.noarch.rpm SHA-256: d704597cc062c3bb4228641c4b2deb0f16ab25c50552881d27656c00835a2c15
rh-nodejs14-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: c580cc29f4b4df9b96facef84d9618fa702b847857d44a09f5bc7ac6eaecf22c
rh-nodejs14-npm-6.14.14-14.17.5.1.el7.x86_64.rpm SHA-256: 9eb0b7e958615e1bdc3edb1d2906b62dd3034dc551d0c521031f233457bf7876

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility