- Issued:
- 2023-02-06
- Updated:
- 2023-02-06
RHSA-2023:0612 - Security Advisory
Synopsis
Moderate: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.21.1), rh-nodejs14-nodejs-nodemon (2.0.20). (BZ#2129806, BZ#2135519, BZ#2135520, BZ#2141022)
Security Fix(es):
- glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
- minimist: prototype pollution (CVE-2021-44906)
- node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)
- nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
- express: "qs" prototype poisoning causes the hang of the node process (CVE-2022-24999)
- nodejs: DNS rebinding in inspect via invalid octal IP address (CVE-2022-43548)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- rh-nodejs14-nodejs: Provide full-i18n subpackage (BZ#2009880)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
- Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Fixes
- BZ - 2009880 - rh-nodejs14-nodejs: Provide full-i18n subpackage
- BZ - 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
- BZ - 2066009 - CVE-2021-44906 minimist: prototype pollution
- BZ - 2129806 - rh-nodejs14-nodejs: Rebase to the latest Nodejs 14 release [rhscl-3]
- BZ - 2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
- BZ - 2140911 - CVE-2022-43548 nodejs: DNS rebinding in inspect via invalid octal IP address
- BZ - 2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process
- BZ - 2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs14-nodejs-14.21.1-3.el7.src.rpm | SHA-256: 30c9668171443b577cf910f690050e27907d2d1e461237d639fc344135a2afed |
| rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.src.rpm | SHA-256: 34c66bbf3c368514aea3d2d8946dd3db65a41e63e4b339091490865c8ecb6bbb |
| x86_64 | |
| rh-nodejs14-nodejs-14.21.1-3.el7.x86_64.rpm | SHA-256: 8b7c6511c50a018835d62dff5d97e576857d8f9958780d8cd87f2c09b655838d |
| rh-nodejs14-nodejs-debuginfo-14.21.1-3.el7.x86_64.rpm | SHA-256: 8927d5c6d5033ce4f8478590038a101fe311f3bf331a240ff38b13fb910cc8b7 |
| rh-nodejs14-nodejs-devel-14.21.1-3.el7.x86_64.rpm | SHA-256: 923f0b48a51cc4e56812b57ce36f8c0f855d51c6e82f8607c25e294c14c34561 |
| rh-nodejs14-nodejs-docs-14.21.1-3.el7.noarch.rpm | SHA-256: 0e4e74564525831b71749bf8c9df53e9cf32e1204e989a877484339069f90a57 |
| rh-nodejs14-nodejs-full-i18n-14.21.1-3.el7.x86_64.rpm | SHA-256: 315196dc1d9af8f974b85478e3f03748d56f682d26875acfcceae350224bd1ef |
| rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.noarch.rpm | SHA-256: dfbeec04281e4675a162f0e7fe283b81752d967553048d4af8887b7f61d36c1a |
| rh-nodejs14-npm-6.14.17-14.21.1.3.el7.x86_64.rpm | SHA-256: b8ab70d59ac4ecf8a58f7c884cf434f907455411fcab1b5740c738082a61e602 |
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs14-nodejs-14.21.1-3.el7.src.rpm | SHA-256: 30c9668171443b577cf910f690050e27907d2d1e461237d639fc344135a2afed |
| rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.src.rpm | SHA-256: 34c66bbf3c368514aea3d2d8946dd3db65a41e63e4b339091490865c8ecb6bbb |
| s390x | |
| rh-nodejs14-nodejs-14.21.1-3.el7.s390x.rpm | SHA-256: deb63e093f7e2ffa1ad2c5ef75efe414cb0eb5cce93a9c3027febd3d01908b63 |
| rh-nodejs14-nodejs-debuginfo-14.21.1-3.el7.s390x.rpm | SHA-256: 4dd5e85a3f15c9f8aeacd5894ecf9d1af4b64e435f2900c23974f2cd0dda1eb7 |
| rh-nodejs14-nodejs-devel-14.21.1-3.el7.s390x.rpm | SHA-256: 17bb3e0a57806f777166c3ec46ecb00ef911c8819863f1c9a9f8b140415df37d |
| rh-nodejs14-nodejs-docs-14.21.1-3.el7.noarch.rpm | SHA-256: 0e4e74564525831b71749bf8c9df53e9cf32e1204e989a877484339069f90a57 |
| rh-nodejs14-nodejs-full-i18n-14.21.1-3.el7.s390x.rpm | SHA-256: 22efa7f8653cd035f2f98cadb7e134cc5d6d6f4386eeb8549412de3d39f4df58 |
| rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.noarch.rpm | SHA-256: dfbeec04281e4675a162f0e7fe283b81752d967553048d4af8887b7f61d36c1a |
| rh-nodejs14-npm-6.14.17-14.21.1.3.el7.s390x.rpm | SHA-256: a0dcc4e1b3925aa251ea11dca3899e39a99f197d7af83663aa6cbc4f771110bd |
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs14-nodejs-14.21.1-3.el7.src.rpm | SHA-256: 30c9668171443b577cf910f690050e27907d2d1e461237d639fc344135a2afed |
| rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.src.rpm | SHA-256: 34c66bbf3c368514aea3d2d8946dd3db65a41e63e4b339091490865c8ecb6bbb |
| ppc64le | |
| rh-nodejs14-nodejs-14.21.1-3.el7.ppc64le.rpm | SHA-256: 7a842e65d8b05d9862f063cd3ee80256f8faa138d45806005e39b7390421d89c |
| rh-nodejs14-nodejs-debuginfo-14.21.1-3.el7.ppc64le.rpm | SHA-256: 35f52931f2b7c5509d835509d30b88923a27930f40620fccfcaec74597ca79a8 |
| rh-nodejs14-nodejs-devel-14.21.1-3.el7.ppc64le.rpm | SHA-256: 4f9534478273c85d47b57c7e4471b8794e26f3a6e693c381456edabf2560e0a6 |
| rh-nodejs14-nodejs-docs-14.21.1-3.el7.noarch.rpm | SHA-256: 0e4e74564525831b71749bf8c9df53e9cf32e1204e989a877484339069f90a57 |
| rh-nodejs14-nodejs-full-i18n-14.21.1-3.el7.ppc64le.rpm | SHA-256: 80a7f3cfe94e79b5402b9048597bcf0ab410859029cb0f76af3700b029e3c0b9 |
| rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.noarch.rpm | SHA-256: dfbeec04281e4675a162f0e7fe283b81752d967553048d4af8887b7f61d36c1a |
| rh-nodejs14-npm-6.14.17-14.21.1.3.el7.ppc64le.rpm | SHA-256: 7093b5918d6808776c27fdd6876aa13538d67a13c2999ce900cfe2a73c11722e |
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
| SRPM | |
|---|---|
| rh-nodejs14-nodejs-14.21.1-3.el7.src.rpm | SHA-256: 30c9668171443b577cf910f690050e27907d2d1e461237d639fc344135a2afed |
| rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.src.rpm | SHA-256: 34c66bbf3c368514aea3d2d8946dd3db65a41e63e4b339091490865c8ecb6bbb |
| x86_64 | |
| rh-nodejs14-nodejs-14.21.1-3.el7.x86_64.rpm | SHA-256: 8b7c6511c50a018835d62dff5d97e576857d8f9958780d8cd87f2c09b655838d |
| rh-nodejs14-nodejs-debuginfo-14.21.1-3.el7.x86_64.rpm | SHA-256: 8927d5c6d5033ce4f8478590038a101fe311f3bf331a240ff38b13fb910cc8b7 |
| rh-nodejs14-nodejs-devel-14.21.1-3.el7.x86_64.rpm | SHA-256: 923f0b48a51cc4e56812b57ce36f8c0f855d51c6e82f8607c25e294c14c34561 |
| rh-nodejs14-nodejs-docs-14.21.1-3.el7.noarch.rpm | SHA-256: 0e4e74564525831b71749bf8c9df53e9cf32e1204e989a877484339069f90a57 |
| rh-nodejs14-nodejs-full-i18n-14.21.1-3.el7.x86_64.rpm | SHA-256: 315196dc1d9af8f974b85478e3f03748d56f682d26875acfcceae350224bd1ef |
| rh-nodejs14-nodejs-nodemon-2.0.20-2.el7.noarch.rpm | SHA-256: dfbeec04281e4675a162f0e7fe283b81752d967553048d4af8887b7f61d36c1a |
| rh-nodejs14-npm-6.14.17-14.21.1.3.el7.x86_64.rpm | SHA-256: b8ab70d59ac4ecf8a58f7c884cf434f907455411fcab1b5740c738082a61e602 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
