Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3588.2 nodejs:12 security and bug fix update 6 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nodejs:12 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Existing Account Reduced Security -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-15095 CVE-2020-8252 CVE-2020-8201 CVE-2020-8116 Reference: ESB-2020.3494 ESB-2020.3330 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4272 https://access.redhat.com/errata/RHSA-2020:4903 Comment: This bulletin contains two (2) Red Hat security advisories. Revision History: November 6 2020: Additional advisory appended October 20 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nodejs:12 security and bug fix update Advisory ID: RHSA-2020:4272-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4272 Issue date: 2020-10-19 CVE Names: CVE-2020-8116 CVE-2020-8201 CVE-2020-8252 CVE-2020-15095 ===================================================================== 1. Summary: An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.18.4). Security Fix(es): * nodejs-dot-prop: prototype pollution (CVE-2020-8116) * nodejs: HTTP request smuggling due to CR-to-Hyphen conversion (CVE-2020-8201) * npm: Sensitive information exposure through logs (CVE-2020-15095) * libuv: buffer overflow in realpath (CVE-2020-8252) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * The nodejs:12/development module is not installable (BZ#1883966) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1856875 - CVE-2020-15095 npm: Sensitive information exposure through logs 1868196 - CVE-2020-8116 nodejs-dot-prop: prototype pollution 1879311 - CVE-2020-8201 nodejs: HTTP request smuggling due to CR-to-Hyphen conversion 1879315 - CVE-2020-8252 libuv: buffer overflow in realpath 1883966 - The nodejs:12/development module is not installable [rhel-8.2.0.z] 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: nodejs-12.18.4-2.module+el8.2.0+8361+192e434e.src.rpm nodejs-nodemon-1.18.3-1.module+el8.1.0+3369+37ae6a45.src.rpm nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.src.rpm aarch64: nodejs-12.18.4-2.module+el8.2.0+8361+192e434e.aarch64.rpm nodejs-debuginfo-12.18.4-2.module+el8.2.0+8361+192e434e.aarch64.rpm nodejs-debugsource-12.18.4-2.module+el8.2.0+8361+192e434e.aarch64.rpm nodejs-devel-12.18.4-2.module+el8.2.0+8361+192e434e.aarch64.rpm nodejs-full-i18n-12.18.4-2.module+el8.2.0+8361+192e434e.aarch64.rpm npm-6.14.6-1.12.18.4.2.module+el8.2.0+8361+192e434e.aarch64.rpm noarch: nodejs-docs-12.18.4-2.module+el8.2.0+8361+192e434e.noarch.rpm nodejs-nodemon-1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch.rpm nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.noarch.rpm ppc64le: nodejs-12.18.4-2.module+el8.2.0+8361+192e434e.ppc64le.rpm nodejs-debuginfo-12.18.4-2.module+el8.2.0+8361+192e434e.ppc64le.rpm nodejs-debugsource-12.18.4-2.module+el8.2.0+8361+192e434e.ppc64le.rpm nodejs-devel-12.18.4-2.module+el8.2.0+8361+192e434e.ppc64le.rpm nodejs-full-i18n-12.18.4-2.module+el8.2.0+8361+192e434e.ppc64le.rpm npm-6.14.6-1.12.18.4.2.module+el8.2.0+8361+192e434e.ppc64le.rpm s390x: nodejs-12.18.4-2.module+el8.2.0+8361+192e434e.s390x.rpm nodejs-debuginfo-12.18.4-2.module+el8.2.0+8361+192e434e.s390x.rpm nodejs-debugsource-12.18.4-2.module+el8.2.0+8361+192e434e.s390x.rpm nodejs-devel-12.18.4-2.module+el8.2.0+8361+192e434e.s390x.rpm nodejs-full-i18n-12.18.4-2.module+el8.2.0+8361+192e434e.s390x.rpm npm-6.14.6-1.12.18.4.2.module+el8.2.0+8361+192e434e.s390x.rpm x86_64: nodejs-12.18.4-2.module+el8.2.0+8361+192e434e.x86_64.rpm nodejs-debuginfo-12.18.4-2.module+el8.2.0+8361+192e434e.x86_64.rpm nodejs-debugsource-12.18.4-2.module+el8.2.0+8361+192e434e.x86_64.rpm nodejs-devel-12.18.4-2.module+el8.2.0+8361+192e434e.x86_64.rpm nodejs-full-i18n-12.18.4-2.module+el8.2.0+8361+192e434e.x86_64.rpm npm-6.14.6-1.12.18.4.2.module+el8.2.0+8361+192e434e.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8116 https://access.redhat.com/security/cve/CVE-2020-8201 https://access.redhat.com/security/cve/CVE-2020-8252 https://access.redhat.com/security/cve/CVE-2020-15095 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX41E/tzjgjWX9erEAQiqAhAAh0qeleD3fUgwf3gHPlqT2W5m9JcrxFze Inz7Dgcwiibbym4BlJQ+4BOCta/eDyE5eREuFNww/z9BUbbgITI+qlfIaJzLMWFX 9RUtpZcf9mao6FHbxtbHbdRd1UuxhpuTcdTP38m71y4ES/QkfgwngxBDNqlexu8K /UTkdpBnZsuLo1pvYydCn73HCRmPOJtmBy3BB13Z6yIwTUQhEw0bru2pq6UIHDGn w5Fm1FlpnDmu+fAIaFev8RGQB//3Qb/XFJn6PW21wgIXMdqhdaH3Xmh4+m3s2afV OdlO7fxFMxSdms0mwhbCwYL8FqyNqRMoVJHGKAKypN4tFj1xkprIaV1AELayShsg oDAbZSi/Eh8pYu/wDnriV26uDDZizzuuNTS3BJfpuhJCQ1nn90pYhLIa1Y9FU2jQ NVhciL7B+KjkHQHEClEcX44ge0cue9+f5RsDqxb+RdGlP2dyAxCqT5MZjOb06C2y oAGcib7DWvh7zXVwn3+3j77y3HLQk45VnxhCV2WM3DE5vrJ7jPUMowDIp4RMc6qw CGKKW8bzHdRdL9/B6V0HVe2CtJiiz2L9KD7+CV+13Mi4fapq6qM2jEHpbUn91AoG cJ/hqT912XEDtNDt/SMxHLBMPTHv/9hh+nSbw1TfY5TvQM8hnKCznH2gS4abenO0 Mwmrogf+Egs= =OV38 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nodejs:12 security and bug fix update Advisory ID: RHSA-2020:4903-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4903 Issue date: 2020-11-04 CVE Names: CVE-2020-8116 CVE-2020-8201 CVE-2020-8252 CVE-2020-15095 ===================================================================== 1. Summary: An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.18.4). Security Fix(es): * nodejs-dot-prop: prototype pollution (CVE-2020-8116) * nodejs: HTTP request smuggling due to CR-to-Hyphen conversion (CVE-2020-8201) * npm: Sensitive information exposure through logs (CVE-2020-15095) * libuv: buffer overflow in realpath (CVE-2020-8252) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * The nodejs:12/development module is not installable (BZ#1883965) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1856875 - CVE-2020-15095 npm: Sensitive information exposure through logs 1868196 - CVE-2020-8116 nodejs-dot-prop: prototype pollution 1879311 - CVE-2020-8201 nodejs: HTTP request smuggling due to CR-to-Hyphen conversion 1879315 - CVE-2020-8252 libuv: buffer overflow in realpath 1883965 - The nodejs:12/development module is not installable [rhel-8.1.0.z] 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: nodejs-12.18.4-2.module+el8.1.0+8360+14141500.src.rpm nodejs-nodemon-1.18.3-1.module+el8.1.0+3369+37ae6a45.src.rpm nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.src.rpm aarch64: nodejs-12.18.4-2.module+el8.1.0+8360+14141500.aarch64.rpm nodejs-debuginfo-12.18.4-2.module+el8.1.0+8360+14141500.aarch64.rpm nodejs-debugsource-12.18.4-2.module+el8.1.0+8360+14141500.aarch64.rpm nodejs-devel-12.18.4-2.module+el8.1.0+8360+14141500.aarch64.rpm nodejs-full-i18n-12.18.4-2.module+el8.1.0+8360+14141500.aarch64.rpm npm-6.14.6-1.12.18.4.2.module+el8.1.0+8360+14141500.aarch64.rpm noarch: nodejs-docs-12.18.4-2.module+el8.1.0+8360+14141500.noarch.rpm nodejs-nodemon-1.18.3-1.module+el8.1.0+3369+37ae6a45.noarch.rpm nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.noarch.rpm ppc64le: nodejs-12.18.4-2.module+el8.1.0+8360+14141500.ppc64le.rpm nodejs-debuginfo-12.18.4-2.module+el8.1.0+8360+14141500.ppc64le.rpm nodejs-debugsource-12.18.4-2.module+el8.1.0+8360+14141500.ppc64le.rpm nodejs-devel-12.18.4-2.module+el8.1.0+8360+14141500.ppc64le.rpm nodejs-full-i18n-12.18.4-2.module+el8.1.0+8360+14141500.ppc64le.rpm npm-6.14.6-1.12.18.4.2.module+el8.1.0+8360+14141500.ppc64le.rpm s390x: nodejs-12.18.4-2.module+el8.1.0+8360+14141500.s390x.rpm nodejs-debuginfo-12.18.4-2.module+el8.1.0+8360+14141500.s390x.rpm nodejs-debugsource-12.18.4-2.module+el8.1.0+8360+14141500.s390x.rpm nodejs-devel-12.18.4-2.module+el8.1.0+8360+14141500.s390x.rpm nodejs-full-i18n-12.18.4-2.module+el8.1.0+8360+14141500.s390x.rpm npm-6.14.6-1.12.18.4.2.module+el8.1.0+8360+14141500.s390x.rpm x86_64: nodejs-12.18.4-2.module+el8.1.0+8360+14141500.x86_64.rpm nodejs-debuginfo-12.18.4-2.module+el8.1.0+8360+14141500.x86_64.rpm nodejs-debugsource-12.18.4-2.module+el8.1.0+8360+14141500.x86_64.rpm nodejs-devel-12.18.4-2.module+el8.1.0+8360+14141500.x86_64.rpm nodejs-full-i18n-12.18.4-2.module+el8.1.0+8360+14141500.x86_64.rpm npm-6.14.6-1.12.18.4.2.module+el8.1.0+8360+14141500.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8116 https://access.redhat.com/security/cve/CVE-2020-8201 https://access.redhat.com/security/cve/CVE-2020-8252 https://access.redhat.com/security/cve/CVE-2020-15095 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6KgItzjgjWX9erEAQivyw//VapgCsnPau2LKyTxnumAhwlQ0tNlXNFw 4APGyEAynTnX6TuhFjQfXTFwBj67+C5ZT3LFYJ2eQ3/K1nb26ia95m4IgF6TlrZc MRytC7xTY9b6t2z7sfIXb892D1lK26HYcMfWMe0fy1bHszpkiPKvzfEP5o9cWRn/ Tmxh48AOspSye4eQqRROUM6J6eRsiIq9uMvj/v2hljzqeMUwtUSGsyudHJOOZl7j MyGw6rDhcPuirhedTp1C1b1JWdXXTEcHLXy7kDRVWfgXZLetJTfeQkl3FHbWXThH A7lPkxcP9PkNXKAvH7RE+65ylUXP60rpTJFs7uaqIjJLWlZkBm81+U7RzAv8afjE 3PwdbMzsoXLCCN5HBk8aA/sJ+oos6YC+jaANVCU3p/eJPaEm4dUTxyiWJsgzrwjA m59e8wJtZxJOd1QO1a7LvxS/52Yxgu/HjGxrLgoR5SNYOrmeKgMmN/0stc/dB1hK lv9Z0MC+RqU1t7rnkFqje+mD18gF0SuOYGCA+8hlzaBfDYxRGHV56lPf+9PeQegP H8l66LvM0ly0aXgdwPT33t0Jipp8HBJYd/9Z+BgvUZtnK9FspSLyrbS1ke6f9qGl dQ2Nx7A5uIrv22U68PIrpKAhHlgNFj1ammVuSEma3Y3ZqCxPc05xlWisMkhTaouT NzIMa7yGLug= =lV49 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX6R8oeNLKJtyKPYoAQgFWw//SQcJBM8RHo/SPlSM0cpcM2BAo1G9Pb6Y LpOuoOi2HL2SCGPhlvrElbUuIMFPnY6PSLoWl5busWeSQYgAieavLw66jgG1csDF BCzPXSrsIGjbFgBrqfPYJv6PxHCTQRnhFFYg80PncUWF2L8TsQi+GRz8Zn4DUwPo 6VyU3ck50Vrw20rIRaJfErCUbcpIM7fVr9rlXE9f5k1Sdx2VqzHkgy1SlquooV2K n+1wm/iwQG5Ng916y1TkvM0fgJc2UvYfjuNgmBVclb5LES4ms3k33V4guyakL/K2 DlqDbQxLkXotb3ozD4UVjHH+YAPhjHlkJdm9t8daDNDEW5cM510LZHN9pOmps3Y/ yP+AT9Zn1nIRFA1g1DmLAqRD/lkcVH44/T4b/2n5UaMMECQCCuNPbzK/FqKCdADz IhGpxAzo49m1Gu24knZjzlkdKaBd8929ujIz0rmBA6FgkLlFnznlK2lqXoWy3sGc xQIg4ztdMzqlv8/nUXEkRkat2VQ7v+gE7XeS7Iws3dqvlPOimNJtHLIDJWj5JwPH UH+4X/MuGaAxGuzaosyDOLFtJIxpO752vO2zOhJJ016mgeykFc/WsI8qy6FZfcrO 3w1jj2PO/eAIoqNVAwbdd3ZGgeqyqLlwqHWp0wSqF88N9zEKI0FBLeTq3ZKBqDi5 ziJNXEuztRY= =jaWx -----END PGP SIGNATURE-----