Red Hat Product Errata RHSA-2021:3281 - Security Advisory
Issued:
2021-08-26
Updated:
2021-08-26

RHSA-2021:3281 - Security Advisory

Synopsis

Important: rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs12-nodejs (12.22.5).

Security Fix(es):

  • nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930)
  • nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22940)
  • nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)
  • nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
  • c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672)
  • nodejs: Improper handling of untypical characters in domain names (CVE-2021-22931)
  • nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (CVE-2021-32803)
  • nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (CVE-2021-32804)
  • nodejs: Incomplete validation of tls rejectUnauthorized parameter (CVE-2021-22939)
  • nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7 ppc64le
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

Fixes

  • BZ - 1907444 - CVE-2020-7788 nodejs-ini: Prototype pollution via malicious INI file
  • BZ - 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
  • BZ - 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe
  • BZ - 1988342 - CVE-2021-3672 c-ares: Missing input validation of host names may lead to domain hijacking
  • BZ - 1988394 - CVE-2021-22930 nodejs: Use-after-free on close http2 on stream canceling
  • BZ - 1990409 - CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
  • BZ - 1990415 - CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
  • BZ - 1993019 - CVE-2021-22931 nodejs: Improper handling of untypical characters in domain names
  • BZ - 1993029 - CVE-2021-22940 nodejs: Use-after-free on close http2 on stream canceling
  • BZ - 1993039 - CVE-2021-22939 nodejs: Incomplete validation of tls rejectUnauthorized parameter

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.22.5-1.el7.src.rpm SHA-256: 886c451fac0ecdf1b6ce12c9dd0132e1a3abff37ec010ad5f013186d22cffa7a
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: b43c071a20e8a5bb682fb21118394af7255247fb2501b4b8c366a4d997d05de2
x86_64
rh-nodejs12-nodejs-12.22.5-1.el7.x86_64.rpm SHA-256: 26d91e52e7da387f105401847af4213701efd108ca73deeb1a96da0bc1ce3258
rh-nodejs12-nodejs-debuginfo-12.22.5-1.el7.x86_64.rpm SHA-256: 3f60be0f892f1a4d50d1f11a53a0a6ecd3ba4bb26a13152af5261fd9733fbe16
rh-nodejs12-nodejs-devel-12.22.5-1.el7.x86_64.rpm SHA-256: 408d03ce8eca8fd581cfb32f97889e205b12f7352cf60157af4b29b423a408c2
rh-nodejs12-nodejs-docs-12.22.5-1.el7.noarch.rpm SHA-256: 755641e6d5721722811811edf1548eda0fc992e45858ee38a4f90670b8fb63da
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: 5ebcac6d3d10442cdca8b1ada8925e31793a38b70bcb2c0bcdb8b60f43fbc11f
rh-nodejs12-npm-6.14.14-12.22.5.1.el7.x86_64.rpm SHA-256: f118827f592f1e7f82703595585eb3def7323c62b087fcd6bfdaebbebc0c0aca

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.22.5-1.el7.src.rpm SHA-256: 886c451fac0ecdf1b6ce12c9dd0132e1a3abff37ec010ad5f013186d22cffa7a
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: b43c071a20e8a5bb682fb21118394af7255247fb2501b4b8c366a4d997d05de2
s390x
rh-nodejs12-nodejs-12.22.5-1.el7.s390x.rpm SHA-256: 50290c63b9c465f8b63c0dd9b33c43bdf27459415fcae515a1a4094c2218bc08
rh-nodejs12-nodejs-debuginfo-12.22.5-1.el7.s390x.rpm SHA-256: 898ee4d1602d67fbf41373bfa4f2ecdaaf18005bfaeca17430a041c77f39a651
rh-nodejs12-nodejs-devel-12.22.5-1.el7.s390x.rpm SHA-256: 476b55226bc831ea1544d25712b6d6da3cb9f4a2afbb2f1ab22cd78ff2bec11a
rh-nodejs12-nodejs-docs-12.22.5-1.el7.noarch.rpm SHA-256: 755641e6d5721722811811edf1548eda0fc992e45858ee38a4f90670b8fb63da
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: 5ebcac6d3d10442cdca8b1ada8925e31793a38b70bcb2c0bcdb8b60f43fbc11f
rh-nodejs12-npm-6.14.14-12.22.5.1.el7.s390x.rpm SHA-256: 7c11ceca73b40af41b50b7aa13267395477f7413d0259d8b90a5686113de3e78

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7

SRPM
rh-nodejs12-nodejs-12.22.5-1.el7.src.rpm SHA-256: 886c451fac0ecdf1b6ce12c9dd0132e1a3abff37ec010ad5f013186d22cffa7a
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: b43c071a20e8a5bb682fb21118394af7255247fb2501b4b8c366a4d997d05de2
ppc64le
rh-nodejs12-nodejs-12.22.5-1.el7.ppc64le.rpm SHA-256: 92b8dbb16d7a5f312b6b1942f637670caa5a554f956da37d952ad84a41bb4590
rh-nodejs12-nodejs-debuginfo-12.22.5-1.el7.ppc64le.rpm SHA-256: 4e4d8229a873f86b522a1d5177bb93686d2211f0599d06049231b14dc4554906
rh-nodejs12-nodejs-devel-12.22.5-1.el7.ppc64le.rpm SHA-256: 3b23e63c5ea034deb19d3c2679d58ccb10bf760e936de11ee350c67ba08f7e3f
rh-nodejs12-nodejs-docs-12.22.5-1.el7.noarch.rpm SHA-256: 755641e6d5721722811811edf1548eda0fc992e45858ee38a4f90670b8fb63da
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: 5ebcac6d3d10442cdca8b1ada8925e31793a38b70bcb2c0bcdb8b60f43fbc11f
rh-nodejs12-npm-6.14.14-12.22.5.1.el7.ppc64le.rpm SHA-256: c65506c3a5aed6d4f2c44848242d1dc674a77ec55ee2e34482597f9305c0c6e1

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.22.5-1.el7.src.rpm SHA-256: 886c451fac0ecdf1b6ce12c9dd0132e1a3abff37ec010ad5f013186d22cffa7a
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: b43c071a20e8a5bb682fb21118394af7255247fb2501b4b8c366a4d997d05de2
x86_64
rh-nodejs12-nodejs-12.22.5-1.el7.x86_64.rpm SHA-256: 26d91e52e7da387f105401847af4213701efd108ca73deeb1a96da0bc1ce3258
rh-nodejs12-nodejs-debuginfo-12.22.5-1.el7.x86_64.rpm SHA-256: 3f60be0f892f1a4d50d1f11a53a0a6ecd3ba4bb26a13152af5261fd9733fbe16
rh-nodejs12-nodejs-devel-12.22.5-1.el7.x86_64.rpm SHA-256: 408d03ce8eca8fd581cfb32f97889e205b12f7352cf60157af4b29b423a408c2
rh-nodejs12-nodejs-docs-12.22.5-1.el7.noarch.rpm SHA-256: 755641e6d5721722811811edf1548eda0fc992e45858ee38a4f90670b8fb63da
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: 5ebcac6d3d10442cdca8b1ada8925e31793a38b70bcb2c0bcdb8b60f43fbc11f
rh-nodejs12-npm-6.14.14-12.22.5.1.el7.x86_64.rpm SHA-256: f118827f592f1e7f82703595585eb3def7323c62b087fcd6bfdaebbebc0c0aca

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.22.5-1.el7.src.rpm SHA-256: 886c451fac0ecdf1b6ce12c9dd0132e1a3abff37ec010ad5f013186d22cffa7a
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: b43c071a20e8a5bb682fb21118394af7255247fb2501b4b8c366a4d997d05de2
s390x
rh-nodejs12-nodejs-12.22.5-1.el7.s390x.rpm SHA-256: 50290c63b9c465f8b63c0dd9b33c43bdf27459415fcae515a1a4094c2218bc08
rh-nodejs12-nodejs-debuginfo-12.22.5-1.el7.s390x.rpm SHA-256: 898ee4d1602d67fbf41373bfa4f2ecdaaf18005bfaeca17430a041c77f39a651
rh-nodejs12-nodejs-devel-12.22.5-1.el7.s390x.rpm SHA-256: 476b55226bc831ea1544d25712b6d6da3cb9f4a2afbb2f1ab22cd78ff2bec11a
rh-nodejs12-nodejs-docs-12.22.5-1.el7.noarch.rpm SHA-256: 755641e6d5721722811811edf1548eda0fc992e45858ee38a4f90670b8fb63da
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: 5ebcac6d3d10442cdca8b1ada8925e31793a38b70bcb2c0bcdb8b60f43fbc11f
rh-nodejs12-npm-6.14.14-12.22.5.1.el7.s390x.rpm SHA-256: 7c11ceca73b40af41b50b7aa13267395477f7413d0259d8b90a5686113de3e78

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.22.5-1.el7.src.rpm SHA-256: 886c451fac0ecdf1b6ce12c9dd0132e1a3abff37ec010ad5f013186d22cffa7a
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: b43c071a20e8a5bb682fb21118394af7255247fb2501b4b8c366a4d997d05de2
ppc64le
rh-nodejs12-nodejs-12.22.5-1.el7.ppc64le.rpm SHA-256: 92b8dbb16d7a5f312b6b1942f637670caa5a554f956da37d952ad84a41bb4590
rh-nodejs12-nodejs-debuginfo-12.22.5-1.el7.ppc64le.rpm SHA-256: 4e4d8229a873f86b522a1d5177bb93686d2211f0599d06049231b14dc4554906
rh-nodejs12-nodejs-devel-12.22.5-1.el7.ppc64le.rpm SHA-256: 3b23e63c5ea034deb19d3c2679d58ccb10bf760e936de11ee350c67ba08f7e3f
rh-nodejs12-nodejs-docs-12.22.5-1.el7.noarch.rpm SHA-256: 755641e6d5721722811811edf1548eda0fc992e45858ee38a4f90670b8fb63da
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: 5ebcac6d3d10442cdca8b1ada8925e31793a38b70bcb2c0bcdb8b60f43fbc11f
rh-nodejs12-npm-6.14.14-12.22.5.1.el7.ppc64le.rpm SHA-256: c65506c3a5aed6d4f2c44848242d1dc674a77ec55ee2e34482597f9305c0c6e1

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
rh-nodejs12-nodejs-12.22.5-1.el7.src.rpm SHA-256: 886c451fac0ecdf1b6ce12c9dd0132e1a3abff37ec010ad5f013186d22cffa7a
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.src.rpm SHA-256: b43c071a20e8a5bb682fb21118394af7255247fb2501b4b8c366a4d997d05de2
x86_64
rh-nodejs12-nodejs-12.22.5-1.el7.x86_64.rpm SHA-256: 26d91e52e7da387f105401847af4213701efd108ca73deeb1a96da0bc1ce3258
rh-nodejs12-nodejs-debuginfo-12.22.5-1.el7.x86_64.rpm SHA-256: 3f60be0f892f1a4d50d1f11a53a0a6ecd3ba4bb26a13152af5261fd9733fbe16
rh-nodejs12-nodejs-devel-12.22.5-1.el7.x86_64.rpm SHA-256: 408d03ce8eca8fd581cfb32f97889e205b12f7352cf60157af4b29b423a408c2
rh-nodejs12-nodejs-docs-12.22.5-1.el7.noarch.rpm SHA-256: 755641e6d5721722811811edf1548eda0fc992e45858ee38a4f90670b8fb63da
rh-nodejs12-nodejs-nodemon-2.0.3-5.el7.noarch.rpm SHA-256: 5ebcac6d3d10442cdca8b1ada8925e31793a38b70bcb2c0bcdb8b60f43fbc11f
rh-nodejs12-npm-6.14.14-12.22.5.1.el7.x86_64.rpm SHA-256: f118827f592f1e7f82703595585eb3def7323c62b087fcd6bfdaebbebc0c0aca

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.