- Issued:
- 2024-04-08
- Updated:
- 2024-04-08
RHSA-2024:1687 - Security Advisory
Synopsis
Important: nodejs:20 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for the nodejs:20 module is now available for Red Hat Enterprise Linux
8.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Description
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
Security Fix(es):
- nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin) (CVE-2023-46809)
- nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)
- nodejs: code injection and privilege escalation through Linux capabilities (CVE-2024-21892)
- nodejs: path traversal by monkey-patching buffer internals (CVE-2024-21896)
- nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization (CVE-2024-21891)
- nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write (CVE-2024-21890)
- nodejs: setuid() does not drop all privileges due to io_uring (CVE-2024-22017)
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 2264569 - CVE-2023-46809 nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)
- BZ - 2264574 - CVE-2024-22019 nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
- BZ - 2264582 - CVE-2024-21892 nodejs: code injection and privilege escalation through Linux capabilities
- BZ - 2265717 - CVE-2024-21896 nodejs: path traversal by monkey-patching buffer internals
- BZ - 2265720 - CVE-2024-21891 nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization
- BZ - 2265722 - CVE-2024-21890 nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write
- BZ - 2265727 - CVE-2024-22017 nodejs: setuid() does not drop all privileges due to io_uring
CVEs
Red Hat Enterprise Linux for x86_64 8
SRPM | |
---|---|
nodejs-20.11.1-1.module+el8.9.0+21380+12032667.src.rpm | SHA-256: 0ae93b86dd578f454ecc4965d6c5afeb0735575bbfd36a56ee6052413a37b4d6 |
nodejs-nodemon-3.0.1-1.module+el8.9.0+20473+c4e3d824.src.rpm | SHA-256: 889a030834eca2139002087753843c52252e5b2dc40b5d0ad8d87af10af3af3e |
nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a.src.rpm | SHA-256: a7fd1b3ac37949c6ce7591cd26c2b1c0a16fc981466e4ef9ba1d0fb2d54d3049 |
x86_64 | |
nodejs-docs-20.11.1-1.module+el8.9.0+21380+12032667.noarch.rpm | SHA-256: 5779d47f3d5d9d10d0261e2865ee0edea100bb1c9cc218ded2017dbf028e1534 |
nodejs-nodemon-3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch.rpm | SHA-256: fee4b73944dd7d48743f7cb6f570393b91390ffd93f6eccb1c17b308d44e9142 |
nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a.noarch.rpm | SHA-256: 66d731b4208710620bdc2be1cc05d9506201e45fce762122fd8840b7c4dca17e |
nodejs-packaging-bundler-2021.06-4.module+el8.9.0+19519+e25b965a.noarch.rpm | SHA-256: b7339583f645c7d80e49aadb33eb288479e3cddb1bc375fd9324c499503ca55b |
nodejs-20.11.1-1.module+el8.9.0+21380+12032667.x86_64.rpm | SHA-256: 5ddb4e1d9926e1ebb9954c6e89d3323893aae7e5328b9f9be201bfc20f329f8a |
nodejs-debuginfo-20.11.1-1.module+el8.9.0+21380+12032667.x86_64.rpm | SHA-256: 7718f9d8ed89f6b57455cbc161fa036a902a82e2f78b9604eaf49f66bdfccf73 |
nodejs-debugsource-20.11.1-1.module+el8.9.0+21380+12032667.x86_64.rpm | SHA-256: d1bbab07db3afacc39e1a0d2ccf30314648285094595bd6eb2b77b9a51ef25d1 |
nodejs-devel-20.11.1-1.module+el8.9.0+21380+12032667.x86_64.rpm | SHA-256: b7b6cb7a178978867210f22e0bd4cb6a356c89774ffa446c9df300e0d396241a |
nodejs-full-i18n-20.11.1-1.module+el8.9.0+21380+12032667.x86_64.rpm | SHA-256: ec11305634fc3a5197d1f8302de6236b7fcb71050bf9b702c11e6d13601b2939 |
npm-10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.x86_64.rpm | SHA-256: efba06d8f5f64d932706d581d7da4b44b3b20f120a8d4fecb81482ad37ec5bbb |
Red Hat Enterprise Linux for IBM z Systems 8
SRPM | |
---|---|
nodejs-20.11.1-1.module+el8.9.0+21380+12032667.src.rpm | SHA-256: 0ae93b86dd578f454ecc4965d6c5afeb0735575bbfd36a56ee6052413a37b4d6 |
nodejs-nodemon-3.0.1-1.module+el8.9.0+20473+c4e3d824.src.rpm | SHA-256: 889a030834eca2139002087753843c52252e5b2dc40b5d0ad8d87af10af3af3e |
nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a.src.rpm | SHA-256: a7fd1b3ac37949c6ce7591cd26c2b1c0a16fc981466e4ef9ba1d0fb2d54d3049 |
s390x | |
nodejs-docs-20.11.1-1.module+el8.9.0+21380+12032667.noarch.rpm | SHA-256: 5779d47f3d5d9d10d0261e2865ee0edea100bb1c9cc218ded2017dbf028e1534 |
nodejs-nodemon-3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch.rpm | SHA-256: fee4b73944dd7d48743f7cb6f570393b91390ffd93f6eccb1c17b308d44e9142 |
nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a.noarch.rpm | SHA-256: 66d731b4208710620bdc2be1cc05d9506201e45fce762122fd8840b7c4dca17e |
nodejs-packaging-bundler-2021.06-4.module+el8.9.0+19519+e25b965a.noarch.rpm | SHA-256: b7339583f645c7d80e49aadb33eb288479e3cddb1bc375fd9324c499503ca55b |
nodejs-20.11.1-1.module+el8.9.0+21380+12032667.s390x.rpm | SHA-256: 644613db62a809e2012ca5920ff3a4f50826d7a462ae98ec83956ffd60461a1a |
nodejs-debuginfo-20.11.1-1.module+el8.9.0+21380+12032667.s390x.rpm | SHA-256: 866c87be4769aaf8ab1e52ceadd06842d09fa775f5e886991a0cca9e625a131b |
nodejs-debugsource-20.11.1-1.module+el8.9.0+21380+12032667.s390x.rpm | SHA-256: 656164b616cc675ba175bc2aa06c3a9dc1072589ad8a3ed60eb4e507372a9fc4 |
nodejs-devel-20.11.1-1.module+el8.9.0+21380+12032667.s390x.rpm | SHA-256: 600b8985b562275071e2215b51273243eff965498572be660d029368b972d953 |
nodejs-full-i18n-20.11.1-1.module+el8.9.0+21380+12032667.s390x.rpm | SHA-256: ac2cfec904e95283a4937ba2e48be3fc7130af426eeb3e9e28773ab71c2be3e4 |
npm-10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.s390x.rpm | SHA-256: ce279db7f92a6b47f9ede109b5e0a82866252f869e0f60a0d70ba1aafb9becb6 |
Red Hat Enterprise Linux for Power, little endian 8
SRPM | |
---|---|
nodejs-20.11.1-1.module+el8.9.0+21380+12032667.src.rpm | SHA-256: 0ae93b86dd578f454ecc4965d6c5afeb0735575bbfd36a56ee6052413a37b4d6 |
nodejs-nodemon-3.0.1-1.module+el8.9.0+20473+c4e3d824.src.rpm | SHA-256: 889a030834eca2139002087753843c52252e5b2dc40b5d0ad8d87af10af3af3e |
nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a.src.rpm | SHA-256: a7fd1b3ac37949c6ce7591cd26c2b1c0a16fc981466e4ef9ba1d0fb2d54d3049 |
ppc64le | |
nodejs-20.11.1-1.module+el8.9.0+21380+12032667.ppc64le.rpm | SHA-256: 34fc494df29a42872b7e58640ed01680902fd9c8e03e0bda5de607f0442d4e7e |
nodejs-debuginfo-20.11.1-1.module+el8.9.0+21380+12032667.ppc64le.rpm | SHA-256: b6498285b1d066051830a0c1c5885fb22c71eb2aa61ef00a96d5e08d77c7b674 |
nodejs-debugsource-20.11.1-1.module+el8.9.0+21380+12032667.ppc64le.rpm | SHA-256: 5df1294d86247a67ce5a994ab47731fb5309ffd7cac383724fa00e5bb9b35cae |
nodejs-devel-20.11.1-1.module+el8.9.0+21380+12032667.ppc64le.rpm | SHA-256: a86c0ec2d0337f7463956fdf376e887fe871fb2fb7ba659916868b0fd883647f |
nodejs-docs-20.11.1-1.module+el8.9.0+21380+12032667.noarch.rpm | SHA-256: 5779d47f3d5d9d10d0261e2865ee0edea100bb1c9cc218ded2017dbf028e1534 |
nodejs-full-i18n-20.11.1-1.module+el8.9.0+21380+12032667.ppc64le.rpm | SHA-256: 40618337e4ab4a0919f206381f6765bb36efdeec99044ba05783a7f741d07785 |
nodejs-nodemon-3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch.rpm | SHA-256: fee4b73944dd7d48743f7cb6f570393b91390ffd93f6eccb1c17b308d44e9142 |
nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a.noarch.rpm | SHA-256: 66d731b4208710620bdc2be1cc05d9506201e45fce762122fd8840b7c4dca17e |
nodejs-packaging-bundler-2021.06-4.module+el8.9.0+19519+e25b965a.noarch.rpm | SHA-256: b7339583f645c7d80e49aadb33eb288479e3cddb1bc375fd9324c499503ca55b |
npm-10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.ppc64le.rpm | SHA-256: 99b10994e396ea07d1285f27a00d885677c493a0ce3f387de464b2f8a557ac38 |
Red Hat Enterprise Linux for ARM 64 8
SRPM | |
---|---|
nodejs-20.11.1-1.module+el8.9.0+21380+12032667.src.rpm | SHA-256: 0ae93b86dd578f454ecc4965d6c5afeb0735575bbfd36a56ee6052413a37b4d6 |
nodejs-nodemon-3.0.1-1.module+el8.9.0+20473+c4e3d824.src.rpm | SHA-256: 889a030834eca2139002087753843c52252e5b2dc40b5d0ad8d87af10af3af3e |
nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a.src.rpm | SHA-256: a7fd1b3ac37949c6ce7591cd26c2b1c0a16fc981466e4ef9ba1d0fb2d54d3049 |
aarch64 | |
nodejs-docs-20.11.1-1.module+el8.9.0+21380+12032667.noarch.rpm | SHA-256: 5779d47f3d5d9d10d0261e2865ee0edea100bb1c9cc218ded2017dbf028e1534 |
nodejs-nodemon-3.0.1-1.module+el8.9.0+20473+c4e3d824.noarch.rpm | SHA-256: fee4b73944dd7d48743f7cb6f570393b91390ffd93f6eccb1c17b308d44e9142 |
nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a.noarch.rpm | SHA-256: 66d731b4208710620bdc2be1cc05d9506201e45fce762122fd8840b7c4dca17e |
nodejs-packaging-bundler-2021.06-4.module+el8.9.0+19519+e25b965a.noarch.rpm | SHA-256: b7339583f645c7d80e49aadb33eb288479e3cddb1bc375fd9324c499503ca55b |
nodejs-20.11.1-1.module+el8.9.0+21380+12032667.aarch64.rpm | SHA-256: 7db5792c1b0413f028a3a65af7e711281b150cc91ca7326af49a6f7a714f3f4d |
nodejs-debuginfo-20.11.1-1.module+el8.9.0+21380+12032667.aarch64.rpm | SHA-256: 959b331dc6a0fc934abf406c6f066ab03791143ff89e9104aa2f46d4a125500c |
nodejs-debugsource-20.11.1-1.module+el8.9.0+21380+12032667.aarch64.rpm | SHA-256: a0db43ba08a5ea435a507dd57c583008b3e390e2105b9ef0e02d89607aebf760 |
nodejs-devel-20.11.1-1.module+el8.9.0+21380+12032667.aarch64.rpm | SHA-256: 6a72916972acd53d47ac5295e502087740f43cfb855f2c89ac9c599124c4dab6 |
nodejs-full-i18n-20.11.1-1.module+el8.9.0+21380+12032667.aarch64.rpm | SHA-256: 7a041e07957bd9830de27f88170936f20489a2bd12f08d25a9190c99dbeb76e8 |
npm-10.2.4-1.20.11.1.1.module+el8.9.0+21380+12032667.aarch64.rpm | SHA-256: 2a8296e32304b46872b92c2c9d74fb27d7e96406b63cfb7dc13832eee84edee1 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.