Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2156 rh-nodejs8-nodejs security update 22 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: rh-nodejs8-nodejs Publisher: Red Hat Operating System: Red Hat Impact/Access: Access Privileged Data -- Existing Account Overwrite Arbitrary Files -- Existing Account Create Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-16777 CVE-2019-16776 CVE-2019-16775 CVE-2018-3750 CVE-2018-3737 CVE-2017-18869 CVE-2017-18077 Reference: ESB-2020.1349 ESB-2020.0688 ESB-2020.0686 ESB-2020.0684 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2625 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-nodejs8-nodejs security update Advisory ID: RHSA-2020:2625-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2020:2625 Issue date: 2020-06-18 CVE Names: CVE-2017-18077 CVE-2017-18869 CVE-2018-3737 CVE-2018-3750 CVE-2019-16775 CVE-2019-16776 CVE-2019-16777 ===================================================================== 1. Summary: An update for rh-nodejs8-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: rh-nodejs8-nodejs (8.17.0). (BZ#1829414) Security Fix(es): * nodejs-brace-expansion: Regular expression denial of service (CVE-2017-18077) * nodejs-chownr: TOCTOU vulnerability in `chownr` function in chownr.js (CVE-2017-18869) * nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js (CVE-2018-3737) * nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-3750) * npm: Symlink reference outside of node_modules folder through the bin field upon installation (CVE-2019-16775) * npm: Arbitrary file write via constructed entry in the package.json bin field (CVE-2019-16776) * npm: Global node_modules Binary Overwrite (CVE-2019-16777) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1448380 - CVE-2017-18077 nodejs-brace-expansion: Regular expression denial of service 1567228 - CVE-2018-3737 nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js 1578246 - CVE-2018-3750 nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties 1611613 - CVE-2017-18869 nodejs-chownr: TOCTOU vulnerability in `chownr` function in chownr.js 1788301 - CVE-2019-16777 npm: Global node_modules Binary Overwrite 1788305 - CVE-2019-16775 npm: Symlink reference outside of node_modules folder through the bin field upon installation 1788310 - CVE-2019-16776 npm: Arbitrary file write via constructed entry in the package.json bin field 1829414 - rh-nodejs8: One extra rebuild to deliver the last upstream version 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm aarch64: rh-nodejs8-nodejs-8.17.0-2.el7.aarch64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.aarch64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.aarch64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.aarch64.rpm noarch: rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm ppc64le: rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm s390x: rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm aarch64: rh-nodejs8-nodejs-8.17.0-2.el7.aarch64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.aarch64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.aarch64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.aarch64.rpm noarch: rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm ppc64le: rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm s390x: rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm x86_64: rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6): Source: rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm noarch: rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm ppc64le: rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm s390x: rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm x86_64: rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7): Source: rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm noarch: rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm ppc64le: rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm s390x: rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm x86_64: rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm noarch: rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm x86_64: rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-18077 https://access.redhat.com/security/cve/CVE-2017-18869 https://access.redhat.com/security/cve/CVE-2018-3737 https://access.redhat.com/security/cve/CVE-2018-3750 https://access.redhat.com/security/cve/CVE-2019-16775 https://access.redhat.com/security/cve/CVE-2019-16776 https://access.redhat.com/security/cve/CVE-2019-16777 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuw0ztzjgjWX9erEAQiBVQ/+PxZZZMZk09FqSQNh/LOjAMPpXyomeMKQ e4viEd1x0s8BoXtzeB5MZlkdQ4y2I1od+9mwPTIcnJfi37IjPq4HOtCf/IAhmYLG XeCp6zGQ2pfe6cvEgRZC/1h650yQSBXdDvCZPpTix2r2HYYXbbf/XwNbGh5rX31b pyqAGc9018B5YAaZ3wZagWBvEQHU+PSCS3wCirtQkhi+3GbYStUXd4LXsNKTeuA7 Q5qgCsOKE9AyNil6zgyvDOzisCY1KBP4FvaDXMHn/qAh62x8lNwe+PibbvqlKbkp 05RniL7sqkgMA6PBjVWodFuFLIBi1pMEXAUW+0JF+HZ3Qh8johwQ0uWIJJIwPAL1 4cro6BtUHqQrGo8LdHtal2vEL2wsTlh1v9m7PD0jsdoqDSkRKnNGQdYbDpq5/cdc 0a9rklQWmHyi9e71AscusYdUqUOVoLFgt4+HWFEKawtOzhlWqjN+EvszGl7NF3Zm H9Tcfsz4NN+/GN6FT4lUGX/i7KC7gGvk9+GQvYl07GPOHEd1Cao0NnyZyMDXf2Ur cUljeo4SOI+gB6coMdK7/0iaNZoI9fl3O/YE7Y7FTPxibl0b8v06c+2iXk621Lyn WPH11L0l3v9rxBFS94Q+HZEIOlLf6HRZusQWxU0YHGiv8tiNLLDE5Q56qg4poQ2W D95t64HIaeU= =uVEr - -----END PGP SIGNATURE----- - -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvA4lONLKJtyKPYoAQhq5w//Qa0LQzoDgtuwOIE0mu0fBDVLKOkmf5lk LK/f0EgPkihzGfyd2vfJnuYAQyBtu1Dna1CuO3qYqV4jEJoujbwQ0fBVxd4VgmfO WPTsoQBPRXymSW6vi1skxLABRsHxU+ac/NaKxyLruWikhnA+RiEnTHsHMkaqP6Jq G2PMxQ15cUk10zs/TENEupxDttWIf+NnzpRoeg5SyRpBLYy3hegJW1OpzUSkGWHO cjlgk6MJyDqSkHxpvQQj7PHSAFvx6mKXhak/hElnbk4MVQT0YOQX4h1X8XLbQnOb 8flIimry6ev850Cee+GabQ6Odqu+7SsspKa3MzPMpw88Xsbngv3ARyHVGQyGX9BI onXSyXQkk5QlSa0aMHXmiib/iQv1OoH43+xW3urB08+XzlATzwRqid76pV1BaEXk 8ldu/BrV35kHe8Rn+epsy25b5xev8DUt0Ntl95bvQntFA9Xld/wmgmvi7ieBV0AE c/hxrCHC+X2ymXUd7v6VRgfqAQPqG81Bg0xnRwVwg+rU8p0OpXsg9TSDk6slyAb6 YzjktWNv/KgL46HUwRlt/rEyusEzWmliyCvhOIFg8mGPgEpB13M7EjMDfodr+gSJ WXkpwrMtAOvylpBrM1sdiHZEPCHs95OVx4jZun75wkI8uikrK5jMQu+E0mlsZDq5 b0HEjS6Pjts= =rJ7J -----END PGP SIGNATURE-----