Red Hat 製品エラータ RHSA-2023:1744 - Security Advisory
発行日:
2023-04-12
更新日:
2023-04-12

RHSA-2023:1744 - Security Advisory

概要

Important: rh-nodejs14-nodejs security, bug fix, and enhancement update

タイプ/重大度

Security Advisory: Important

Red Hat Lightspeed patch analysis

このアドバイザリーの影響を受けるシステムを特定し、修正します。

影響を受けるシステムの表示

トピック

An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

説明

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.21.3).

Security Fix(es):

  • decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
  • c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)
  • http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
  • Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
  • Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

解決策

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

影響を受ける製品

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
  • Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

修正

  • BZ - 2153715 - rh-nodejs14-nodejs: Rebase to the latest Nodejs 14 release [rhscl-3]
  • BZ - 2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
  • BZ - 2168631 - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check
  • BZ - 2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS
  • BZ - 2171935 - CVE-2023-23918 Node.js: Permissions policies can be bypassed via process.mainModule
  • BZ - 2172217 - CVE-2023-23920 Node.js: insecure loading of ICU data through ICU_DATA environment variable

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM
rh-nodejs14-3.6-2.el7.src.rpm SHA-256: 840578cdc1b7f8c5a070ea19febc51be0c2e4e1694e9ab9c93bf608ecee1e459
rh-nodejs14-nodejs-14.21.3-2.el7.src.rpm SHA-256: 257e7822768c6f9776128035b0bb26803d2a73bacda1b844d5263fe957e089fd
x86_64
rh-nodejs14-3.6-2.el7.x86_64.rpm SHA-256: 8bb98cdd6c454e4a4e627d859417bf19cc077f1b48a175fd219448abdc0f8d82
rh-nodejs14-nodejs-14.21.3-2.el7.x86_64.rpm SHA-256: d9618d0adecb42ae6023d834c03992b5786832c14724fe4a771a4df9bef084f2
rh-nodejs14-nodejs-debuginfo-14.21.3-2.el7.x86_64.rpm SHA-256: 56c008a76ccf27bacfcff5a1a132b07f6838521dba1e35273b566248917082a8
rh-nodejs14-nodejs-devel-14.21.3-2.el7.x86_64.rpm SHA-256: 9b98c5504b2feee6febe8d3ba90119b4607cbab181ddf3efbe8cc81588d73a2d
rh-nodejs14-nodejs-docs-14.21.3-2.el7.noarch.rpm SHA-256: 48eee4a5d6fe498c3d00a945d83087bbebad6b07c1466c44afdae0f4a2db34f4
rh-nodejs14-nodejs-full-i18n-14.21.3-2.el7.x86_64.rpm SHA-256: 4c4c92e4827abc150b0414e53c00635d2cbab223d448f2482a511bd512ccd4b0
rh-nodejs14-npm-6.14.18-14.21.3.2.el7.x86_64.rpm SHA-256: a07afaa1914121a720cff0c2d3cdcec166c0f86558a32157ae45f01e2e4e0f76
rh-nodejs14-runtime-3.6-2.el7.x86_64.rpm SHA-256: e45a2cd0ad3dd04620ee8ff9a87b1333a3b7c0feef72759849669879b7e6fee1
rh-nodejs14-scldevel-3.6-2.el7.x86_64.rpm SHA-256: c6043a28a15c12f411aee83fe1f26d9bded874a72e3d98b4e9eef0d22f7fe042

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7

SRPM
rh-nodejs14-3.6-2.el7.src.rpm SHA-256: 840578cdc1b7f8c5a070ea19febc51be0c2e4e1694e9ab9c93bf608ecee1e459
rh-nodejs14-nodejs-14.21.3-2.el7.src.rpm SHA-256: 257e7822768c6f9776128035b0bb26803d2a73bacda1b844d5263fe957e089fd
s390x
rh-nodejs14-3.6-2.el7.s390x.rpm SHA-256: 6e2105a81222064082fa2802965e0dc00211026fb869fcf1ec27688514cb52a1
rh-nodejs14-nodejs-14.21.3-2.el7.s390x.rpm SHA-256: 59062d965c8cc79563f8505378018f69d624fe6fa80d8d36102b1ee8a1121c16
rh-nodejs14-nodejs-debuginfo-14.21.3-2.el7.s390x.rpm SHA-256: 7f8cae9c0fff1aac08aba259bb58d8c20d1bbe4026661144c386681fe53ff6c1
rh-nodejs14-nodejs-devel-14.21.3-2.el7.s390x.rpm SHA-256: 37006bf21192e87dbc9ce4907f3acd7437e636f015bf9966e2915cd0aae4d197
rh-nodejs14-nodejs-docs-14.21.3-2.el7.noarch.rpm SHA-256: 48eee4a5d6fe498c3d00a945d83087bbebad6b07c1466c44afdae0f4a2db34f4
rh-nodejs14-nodejs-full-i18n-14.21.3-2.el7.s390x.rpm SHA-256: 1ff2f31dc73ab4fa8226cc88820c36bafe800b875d721977ebc7ae441d79b295
rh-nodejs14-npm-6.14.18-14.21.3.2.el7.s390x.rpm SHA-256: 8e82f3f56700e01dab7bf17315fd75547f5d5285ed85806e50db127a54f58498
rh-nodejs14-runtime-3.6-2.el7.s390x.rpm SHA-256: 2bd0ee21ff27cc1d61da1dba77cbb473233b1b2bfa32db0bcb840a387f7ad511
rh-nodejs14-scldevel-3.6-2.el7.s390x.rpm SHA-256: 64be58e44bf9c76460ae0fb3a2cbfff321fc759a1138d8fb9dc812c7f6f7a2ac

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7

SRPM
rh-nodejs14-3.6-2.el7.src.rpm SHA-256: 840578cdc1b7f8c5a070ea19febc51be0c2e4e1694e9ab9c93bf608ecee1e459
rh-nodejs14-nodejs-14.21.3-2.el7.src.rpm SHA-256: 257e7822768c6f9776128035b0bb26803d2a73bacda1b844d5263fe957e089fd
ppc64le
rh-nodejs14-3.6-2.el7.ppc64le.rpm SHA-256: ece903f9bb173fb470a203d2ce0dd7bbcdec015bef6877f14d779e0678a71ffe
rh-nodejs14-nodejs-14.21.3-2.el7.ppc64le.rpm SHA-256: 69a1b315413e9c7cde25a2dc3c7ffb09c85f5a74a1cb9da1cc877ed9e4779a77
rh-nodejs14-nodejs-debuginfo-14.21.3-2.el7.ppc64le.rpm SHA-256: 94c16da4f6f7500aad099aee7b3dc456b78eba379f2e7064044d3d47bc5414c3
rh-nodejs14-nodejs-devel-14.21.3-2.el7.ppc64le.rpm SHA-256: 1181b9c3d77bbf03ace518ecb29e47b8278d2e75eda2afa6621fb50f2780e457
rh-nodejs14-nodejs-docs-14.21.3-2.el7.noarch.rpm SHA-256: 48eee4a5d6fe498c3d00a945d83087bbebad6b07c1466c44afdae0f4a2db34f4
rh-nodejs14-nodejs-full-i18n-14.21.3-2.el7.ppc64le.rpm SHA-256: 1edf86312eecf4ebcf9f744b5823ce60c1cb1968b549dd12629597016fdc7363
rh-nodejs14-npm-6.14.18-14.21.3.2.el7.ppc64le.rpm SHA-256: 453a43f5f95c058a4579c6e18cc44a79ccfa65878756a0c0a73bb6affac35c33
rh-nodejs14-runtime-3.6-2.el7.ppc64le.rpm SHA-256: ec986c71fba1013e6525603c1dc3344dc4075eb42bc815e353d683c4da90bb63
rh-nodejs14-scldevel-3.6-2.el7.ppc64le.rpm SHA-256: 59edd664e1bcdb5190138b5ff5cd99ef58b3bcde71e4958fe9328ee3b351ffed

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM
rh-nodejs14-3.6-2.el7.src.rpm SHA-256: 840578cdc1b7f8c5a070ea19febc51be0c2e4e1694e9ab9c93bf608ecee1e459
rh-nodejs14-nodejs-14.21.3-2.el7.src.rpm SHA-256: 257e7822768c6f9776128035b0bb26803d2a73bacda1b844d5263fe957e089fd
x86_64
rh-nodejs14-3.6-2.el7.x86_64.rpm SHA-256: 8bb98cdd6c454e4a4e627d859417bf19cc077f1b48a175fd219448abdc0f8d82
rh-nodejs14-nodejs-14.21.3-2.el7.x86_64.rpm SHA-256: d9618d0adecb42ae6023d834c03992b5786832c14724fe4a771a4df9bef084f2
rh-nodejs14-nodejs-debuginfo-14.21.3-2.el7.x86_64.rpm SHA-256: 56c008a76ccf27bacfcff5a1a132b07f6838521dba1e35273b566248917082a8
rh-nodejs14-nodejs-devel-14.21.3-2.el7.x86_64.rpm SHA-256: 9b98c5504b2feee6febe8d3ba90119b4607cbab181ddf3efbe8cc81588d73a2d
rh-nodejs14-nodejs-docs-14.21.3-2.el7.noarch.rpm SHA-256: 48eee4a5d6fe498c3d00a945d83087bbebad6b07c1466c44afdae0f4a2db34f4
rh-nodejs14-nodejs-full-i18n-14.21.3-2.el7.x86_64.rpm SHA-256: 4c4c92e4827abc150b0414e53c00635d2cbab223d448f2482a511bd512ccd4b0
rh-nodejs14-npm-6.14.18-14.21.3.2.el7.x86_64.rpm SHA-256: a07afaa1914121a720cff0c2d3cdcec166c0f86558a32157ae45f01e2e4e0f76
rh-nodejs14-runtime-3.6-2.el7.x86_64.rpm SHA-256: e45a2cd0ad3dd04620ee8ff9a87b1333a3b7c0feef72759849669879b7e6fee1
rh-nodejs14-scldevel-3.6-2.el7.x86_64.rpm SHA-256: c6043a28a15c12f411aee83fe1f26d9bded874a72e3d98b4e9eef0d22f7fe042

Red Hat のセキュリティーに関する連絡先は secalert@redhat.com です。 連絡先の詳細は https://access.redhat.com/security/team/contact/ をご覧ください。