- Issued:
- 2022-09-08
- Updated:
- 2022-09-08
RHSA-2022:6389 - Security Advisory
Synopsis
Moderate: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security and bug fix update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.20.0).
Security Fix(es):
- nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)
- nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213)
- nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214)
- nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215)
- got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- rh-nodejs14-nodejs: rebase to latest upstream release (BZ#2106673)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
- Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Fixes
- BZ - 2102001 - CVE-2022-33987 got: missing verification of requested URLs allows redirects to UNIX sockets
- BZ - 2105422 - CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP addresses
- BZ - 2105426 - CVE-2022-32215 nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding
- BZ - 2105428 - CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of header fields
- BZ - 2105430 - CVE-2022-32213 nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding
- BZ - 2106673 - rh-nodejs14-nodejs: rebase to latest upstream release [rhscl-3.8.z]
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs14-nodejs-14.20.0-2.el7.src.rpm | SHA-256: 35f6715bdb3d8485918c51eee76f4d1e43d22cbbbc521240996d9ac06ac5397d |
| rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.src.rpm | SHA-256: 2fe527f218a0db606bb47ecf1488e93a466c809cae20e640dfa6bd30e0f261a1 |
| x86_64 | |
| rh-nodejs14-nodejs-14.20.0-2.el7.x86_64.rpm | SHA-256: 183bf341228b25d5b820a7af729af7413ec0fe6f4b8a6d6f6541e86b21681777 |
| rh-nodejs14-nodejs-debuginfo-14.20.0-2.el7.x86_64.rpm | SHA-256: 560fa9ae7417010406efb1a38bcac3f3467a9f0ee3a33170bd51dd81158dcbb8 |
| rh-nodejs14-nodejs-devel-14.20.0-2.el7.x86_64.rpm | SHA-256: 81b93e85e91d5b85b4cdbaf590623c6be78dc87f8c51406777ef95c2a64386ce |
| rh-nodejs14-nodejs-docs-14.20.0-2.el7.noarch.rpm | SHA-256: 2b14e62e080b9744a3c952ce867b1354a68e728c5646c2716ddbec13b024d58f |
| rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.noarch.rpm | SHA-256: 99f90e853016083b964fb782368fdf4049f86b705032e9f9d6d1e37cbb2a507e |
| rh-nodejs14-npm-6.14.17-14.20.0.2.el7.x86_64.rpm | SHA-256: efdb5443bc856adebd7c62b3caabd28dfdeb4c78dd43e04dad69e1bf49226412 |
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs14-nodejs-14.20.0-2.el7.src.rpm | SHA-256: 35f6715bdb3d8485918c51eee76f4d1e43d22cbbbc521240996d9ac06ac5397d |
| rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.src.rpm | SHA-256: 2fe527f218a0db606bb47ecf1488e93a466c809cae20e640dfa6bd30e0f261a1 |
| s390x | |
| rh-nodejs14-nodejs-14.20.0-2.el7.s390x.rpm | SHA-256: 490569d79beecab5d01c60fe7e082fe5e816757540c827c15ea46a69eafc701d |
| rh-nodejs14-nodejs-debuginfo-14.20.0-2.el7.s390x.rpm | SHA-256: 8d7b55f6c4c2aa31f1e818f3113e0e7e5712086741215eed909aede9df4a9454 |
| rh-nodejs14-nodejs-devel-14.20.0-2.el7.s390x.rpm | SHA-256: 0de6792f70ae0ce0fcd61b1f8380810c059c592e504d6d8eec48f7c417571da7 |
| rh-nodejs14-nodejs-docs-14.20.0-2.el7.noarch.rpm | SHA-256: 2b14e62e080b9744a3c952ce867b1354a68e728c5646c2716ddbec13b024d58f |
| rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.noarch.rpm | SHA-256: 99f90e853016083b964fb782368fdf4049f86b705032e9f9d6d1e37cbb2a507e |
| rh-nodejs14-npm-6.14.17-14.20.0.2.el7.s390x.rpm | SHA-256: 6860b4f35b8afacf235ca762f8437278602e0ccb28e942e78858d970a7155c4f |
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs14-nodejs-14.20.0-2.el7.src.rpm | SHA-256: 35f6715bdb3d8485918c51eee76f4d1e43d22cbbbc521240996d9ac06ac5397d |
| rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.src.rpm | SHA-256: 2fe527f218a0db606bb47ecf1488e93a466c809cae20e640dfa6bd30e0f261a1 |
| ppc64le | |
| rh-nodejs14-nodejs-14.20.0-2.el7.ppc64le.rpm | SHA-256: 2d331b1fb28ec65de64ed27710ab69525a4e21ecf92b4935d108b528d4ffd18a |
| rh-nodejs14-nodejs-debuginfo-14.20.0-2.el7.ppc64le.rpm | SHA-256: 8742e8ec559b375f7240678af1451c9434e8da70aff6cec6aad3b9306c5b72ba |
| rh-nodejs14-nodejs-devel-14.20.0-2.el7.ppc64le.rpm | SHA-256: 7fcf3b72b215af3a142cb18645562d3923753e7457e8ff772fdd82486ddbef2a |
| rh-nodejs14-nodejs-docs-14.20.0-2.el7.noarch.rpm | SHA-256: 2b14e62e080b9744a3c952ce867b1354a68e728c5646c2716ddbec13b024d58f |
| rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.noarch.rpm | SHA-256: 99f90e853016083b964fb782368fdf4049f86b705032e9f9d6d1e37cbb2a507e |
| rh-nodejs14-npm-6.14.17-14.20.0.2.el7.ppc64le.rpm | SHA-256: b3afa76896fa5229f17da0ce4f651764ebe89c7afca26d93c5148158150d5a80 |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs14-nodejs-14.20.0-2.el7.src.rpm | SHA-256: 35f6715bdb3d8485918c51eee76f4d1e43d22cbbbc521240996d9ac06ac5397d |
| rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.src.rpm | SHA-256: 2fe527f218a0db606bb47ecf1488e93a466c809cae20e640dfa6bd30e0f261a1 |
| x86_64 | |
| rh-nodejs14-nodejs-14.20.0-2.el7.x86_64.rpm | SHA-256: 183bf341228b25d5b820a7af729af7413ec0fe6f4b8a6d6f6541e86b21681777 |
| rh-nodejs14-nodejs-debuginfo-14.20.0-2.el7.x86_64.rpm | SHA-256: 560fa9ae7417010406efb1a38bcac3f3467a9f0ee3a33170bd51dd81158dcbb8 |
| rh-nodejs14-nodejs-devel-14.20.0-2.el7.x86_64.rpm | SHA-256: 81b93e85e91d5b85b4cdbaf590623c6be78dc87f8c51406777ef95c2a64386ce |
| rh-nodejs14-nodejs-docs-14.20.0-2.el7.noarch.rpm | SHA-256: 2b14e62e080b9744a3c952ce867b1354a68e728c5646c2716ddbec13b024d58f |
| rh-nodejs14-nodejs-nodemon-2.0.19-1.el7.noarch.rpm | SHA-256: 99f90e853016083b964fb782368fdf4049f86b705032e9f9d6d1e37cbb2a507e |
| rh-nodejs14-npm-6.14.17-14.20.0.2.el7.x86_64.rpm | SHA-256: efdb5443bc856adebd7c62b3caabd28dfdeb4c78dd43e04dad69e1bf49226412 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.