-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2156
                     rh-nodejs8-nodejs security update
                               22 June 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           rh-nodejs8-nodejs
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Privileged Data    -- Existing Account      
                   Overwrite Arbitrary Files -- Existing Account      
                   Create Arbitrary Files    -- Existing Account      
                   Denial of Service         -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-16777 CVE-2019-16776 CVE-2019-16775
                   CVE-2018-3750 CVE-2018-3737 CVE-2017-18869
                   CVE-2017-18077  

Reference:         ESB-2020.1349
                   ESB-2020.0688
                   ESB-2020.0686
                   ESB-2020.0684

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:2625

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: rh-nodejs8-nodejs security update
Advisory ID:       RHSA-2020:2625-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2625
Issue date:        2020-06-18
CVE Names:         CVE-2017-18077 CVE-2017-18869 CVE-2018-3737 
                   CVE-2018-3750 CVE-2019-16775 CVE-2019-16776 
                   CVE-2019-16777 
=====================================================================

1. Summary:

An update for rh-nodejs8-nodejs is now available for Red Hat Software
Collections.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:
rh-nodejs8-nodejs (8.17.0). (BZ#1829414)

Security Fix(es):

* nodejs-brace-expansion: Regular expression denial of service
(CVE-2017-18077)

* nodejs-chownr: TOCTOU vulnerability in `chownr` function in chownr.js
(CVE-2017-18869)

* nodejs-sshpk: ReDoS when parsing crafted invalid public keys in
lib/formats/ssh.js (CVE-2018-3737)

* nodejs-deep-extend: Prototype pollution can allow attackers to modify
object properties (CVE-2018-3750)

* npm: Symlink reference outside of node_modules folder through the bin
field upon installation (CVE-2019-16775)

* npm: Arbitrary file write via constructed entry in the package.json bin
field (CVE-2019-16776)

* npm: Global node_modules Binary Overwrite (CVE-2019-16777)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1448380 - CVE-2017-18077 nodejs-brace-expansion: Regular expression denial of service
1567228 - CVE-2018-3737 nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js
1578246 - CVE-2018-3750 nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties
1611613 - CVE-2017-18869 nodejs-chownr: TOCTOU vulnerability in `chownr` function in chownr.js
1788301 - CVE-2019-16777 npm: Global node_modules Binary Overwrite
1788305 - CVE-2019-16775 npm: Symlink reference outside of node_modules folder through the bin field upon installation
1788310 - CVE-2019-16776 npm: Arbitrary file write via constructed entry in the package.json bin field
1829414 - rh-nodejs8: One extra rebuild to deliver the last upstream version

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm

aarch64:
rh-nodejs8-nodejs-8.17.0-2.el7.aarch64.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.aarch64.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.aarch64.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.aarch64.rpm

noarch:
rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm

ppc64le:
rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm

s390x:
rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm

aarch64:
rh-nodejs8-nodejs-8.17.0-2.el7.aarch64.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.aarch64.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.aarch64.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.aarch64.rpm

noarch:
rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm

ppc64le:
rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm

s390x:
rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm

x86_64:
rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):

Source:
rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm

noarch:
rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm

ppc64le:
rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm

s390x:
rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm

x86_64:
rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):

Source:
rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm

noarch:
rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm

ppc64le:
rh-nodejs8-nodejs-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.ppc64le.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.ppc64le.rpm

s390x:
rh-nodejs8-nodejs-8.17.0-2.el7.s390x.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.s390x.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.s390x.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.s390x.rpm

x86_64:
rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-nodejs8-nodejs-8.17.0-2.el7.src.rpm

noarch:
rh-nodejs8-nodejs-docs-8.17.0-2.el7.noarch.rpm

x86_64:
rh-nodejs8-nodejs-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-nodejs-debuginfo-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-nodejs-devel-8.17.0-2.el7.x86_64.rpm
rh-nodejs8-npm-6.13.4-8.17.0.2.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-18077
https://access.redhat.com/security/cve/CVE-2017-18869
https://access.redhat.com/security/cve/CVE-2018-3737
https://access.redhat.com/security/cve/CVE-2018-3750
https://access.redhat.com/security/cve/CVE-2019-16775
https://access.redhat.com/security/cve/CVE-2019-16776
https://access.redhat.com/security/cve/CVE-2019-16777
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXuw0ztzjgjWX9erEAQiBVQ/+PxZZZMZk09FqSQNh/LOjAMPpXyomeMKQ
e4viEd1x0s8BoXtzeB5MZlkdQ4y2I1od+9mwPTIcnJfi37IjPq4HOtCf/IAhmYLG
XeCp6zGQ2pfe6cvEgRZC/1h650yQSBXdDvCZPpTix2r2HYYXbbf/XwNbGh5rX31b
pyqAGc9018B5YAaZ3wZagWBvEQHU+PSCS3wCirtQkhi+3GbYStUXd4LXsNKTeuA7
Q5qgCsOKE9AyNil6zgyvDOzisCY1KBP4FvaDXMHn/qAh62x8lNwe+PibbvqlKbkp
05RniL7sqkgMA6PBjVWodFuFLIBi1pMEXAUW+0JF+HZ3Qh8johwQ0uWIJJIwPAL1
4cro6BtUHqQrGo8LdHtal2vEL2wsTlh1v9m7PD0jsdoqDSkRKnNGQdYbDpq5/cdc
0a9rklQWmHyi9e71AscusYdUqUOVoLFgt4+HWFEKawtOzhlWqjN+EvszGl7NF3Zm
H9Tcfsz4NN+/GN6FT4lUGX/i7KC7gGvk9+GQvYl07GPOHEd1Cao0NnyZyMDXf2Ur
cUljeo4SOI+gB6coMdK7/0iaNZoI9fl3O/YE7Y7FTPxibl0b8v06c+2iXk621Lyn
WPH11L0l3v9rxBFS94Q+HZEIOlLf6HRZusQWxU0YHGiv8tiNLLDE5Q56qg4poQ2W
D95t64HIaeU=
=uVEr
- -----END PGP SIGNATURE-----

- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXvA4lONLKJtyKPYoAQhq5w//Qa0LQzoDgtuwOIE0mu0fBDVLKOkmf5lk
LK/f0EgPkihzGfyd2vfJnuYAQyBtu1Dna1CuO3qYqV4jEJoujbwQ0fBVxd4VgmfO
WPTsoQBPRXymSW6vi1skxLABRsHxU+ac/NaKxyLruWikhnA+RiEnTHsHMkaqP6Jq
G2PMxQ15cUk10zs/TENEupxDttWIf+NnzpRoeg5SyRpBLYy3hegJW1OpzUSkGWHO
cjlgk6MJyDqSkHxpvQQj7PHSAFvx6mKXhak/hElnbk4MVQT0YOQX4h1X8XLbQnOb
8flIimry6ev850Cee+GabQ6Odqu+7SsspKa3MzPMpw88Xsbngv3ARyHVGQyGX9BI
onXSyXQkk5QlSa0aMHXmiib/iQv1OoH43+xW3urB08+XzlATzwRqid76pV1BaEXk
8ldu/BrV35kHe8Rn+epsy25b5xev8DUt0Ntl95bvQntFA9Xld/wmgmvi7ieBV0AE
c/hxrCHC+X2ymXUd7v6VRgfqAQPqG81Bg0xnRwVwg+rU8p0OpXsg9TSDk6slyAb6
YzjktWNv/KgL46HUwRlt/rEyusEzWmliyCvhOIFg8mGPgEpB13M7EjMDfodr+gSJ
WXkpwrMtAOvylpBrM1sdiHZEPCHs95OVx4jZun75wkI8uikrK5jMQu+E0mlsZDq5
b0HEjS6Pjts=
=rJ7J
-----END PGP SIGNATURE-----