Operating System:

[RedHat]

Published:

05 February 2021

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0412
                    rh-nodejs14-nodejs security update
                              5 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           rh-nodejs14-nodejs
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Reduced Security -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-15366 CVE-2020-8287 CVE-2020-8277
                   CVE-2020-8265 CVE-2020-7788 CVE-2020-7774
                   CVE-2020-7754  

Reference:         ESB-2021.0311
                   ESB-2021.0199

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0421

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: rh-nodejs14-nodejs security update
Advisory ID:       RHSA-2021:0421-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0421
Issue date:        2021-02-04
CVE Names:         CVE-2020-7754 CVE-2020-7774 CVE-2020-7788 
                   CVE-2020-8265 CVE-2020-8277 CVE-2020-8287 
                   CVE-2020-15366 
=====================================================================

1. Summary:

An update for rh-nodejs14-nodejs is now available for Red Hat Software
Collections.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language. 

The following packages have been upgraded to a later upstream version:
rh-nodejs14-nodejs (14.15.4).

Security Fix(es):

* nodejs-npm-user-validate: improper input validation when validating user
emails leads to ReDoS (CVE-2020-7754)

* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)

* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)

* c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS
(CVE-2020-8277)

* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate
function (CVE-2020-15366)

* nodejs: HTTP request smuggling via two copies of a header field in an
http request (CVE-2020-8287)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
1892430 - CVE-2020-7754 nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS
1898554 - CVE-2020-8277 c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS
1898680 - CVE-2020-7774 nodejs-y18n: prototype pollution vulnerability
1907444 - CVE-2020-7788 nodejs-ini: prototype pollution via malicious INI file
1912854 - CVE-2020-8265 nodejs: use-after-free in the TLS implementation
1912863 - CVE-2020-8287 nodejs: HTTP request smuggling via two copies of a header field in an http request

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-nodejs14-nodejs-14.15.4-2.el7.src.rpm

noarch:
rh-nodejs14-nodejs-docs-14.15.4-2.el7.noarch.rpm

ppc64le:
rh-nodejs14-nodejs-14.15.4-2.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.15.4-2.el7.ppc64le.rpm
rh-nodejs14-nodejs-devel-14.15.4-2.el7.ppc64le.rpm
rh-nodejs14-npm-6.14.10-14.15.4.2.el7.ppc64le.rpm

s390x:
rh-nodejs14-nodejs-14.15.4-2.el7.s390x.rpm
rh-nodejs14-nodejs-debuginfo-14.15.4-2.el7.s390x.rpm
rh-nodejs14-nodejs-devel-14.15.4-2.el7.s390x.rpm
rh-nodejs14-npm-6.14.10-14.15.4.2.el7.s390x.rpm

x86_64:
rh-nodejs14-nodejs-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-npm-6.14.10-14.15.4.2.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):

Source:
rh-nodejs14-nodejs-14.15.4-2.el7.src.rpm

noarch:
rh-nodejs14-nodejs-docs-14.15.4-2.el7.noarch.rpm

ppc64le:
rh-nodejs14-nodejs-14.15.4-2.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.15.4-2.el7.ppc64le.rpm
rh-nodejs14-nodejs-devel-14.15.4-2.el7.ppc64le.rpm
rh-nodejs14-npm-6.14.10-14.15.4.2.el7.ppc64le.rpm

s390x:
rh-nodejs14-nodejs-14.15.4-2.el7.s390x.rpm
rh-nodejs14-nodejs-debuginfo-14.15.4-2.el7.s390x.rpm
rh-nodejs14-nodejs-devel-14.15.4-2.el7.s390x.rpm
rh-nodejs14-npm-6.14.10-14.15.4.2.el7.s390x.rpm

x86_64:
rh-nodejs14-nodejs-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-npm-6.14.10-14.15.4.2.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):

Source:
rh-nodejs14-nodejs-14.15.4-2.el7.src.rpm

noarch:
rh-nodejs14-nodejs-docs-14.15.4-2.el7.noarch.rpm

ppc64le:
rh-nodejs14-nodejs-14.15.4-2.el7.ppc64le.rpm
rh-nodejs14-nodejs-debuginfo-14.15.4-2.el7.ppc64le.rpm
rh-nodejs14-nodejs-devel-14.15.4-2.el7.ppc64le.rpm
rh-nodejs14-npm-6.14.10-14.15.4.2.el7.ppc64le.rpm

s390x:
rh-nodejs14-nodejs-14.15.4-2.el7.s390x.rpm
rh-nodejs14-nodejs-debuginfo-14.15.4-2.el7.s390x.rpm
rh-nodejs14-nodejs-devel-14.15.4-2.el7.s390x.rpm
rh-nodejs14-npm-6.14.10-14.15.4.2.el7.s390x.rpm

x86_64:
rh-nodejs14-nodejs-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-npm-6.14.10-14.15.4.2.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-nodejs14-nodejs-14.15.4-2.el7.src.rpm

noarch:
rh-nodejs14-nodejs-docs-14.15.4-2.el7.noarch.rpm

x86_64:
rh-nodejs14-nodejs-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-nodejs-debuginfo-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-nodejs-devel-14.15.4-2.el7.x86_64.rpm
rh-nodejs14-npm-6.14.10-14.15.4.2.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-7754
https://access.redhat.com/security/cve/CVE-2020-7774
https://access.redhat.com/security/cve/CVE-2020-7788
https://access.redhat.com/security/cve/CVE-2020-8265
https://access.redhat.com/security/cve/CVE-2020-8277
https://access.redhat.com/security/cve/CVE-2020-8287
https://access.redhat.com/security/cve/CVE-2020-15366
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYBwsltzjgjWX9erEAQjfrQ/8CZ3Sx8P+gFao3TvTIb1H1kKU1AqncYGw
JdrVsDhjVxVixQ6voH4vK3BTaO0/lcoDf1gV2Ot+QduIOzbsnFVXtcATg1Ada5+W
5VDgT206n7NtUdpO8k79wz41S7DLQq48EHCvCZpyDg7CKkwVEDMPXOsXEuJUHkeL
6VXkvMeVe5vulxrUm7u/uovFBg4oEzAkUxpwdDJV3e8TiyUJDAbPjfHsudnAp5LS
cGGu5HlKCWQKg/NPmY0n6R2f5ZJbCUXMWz+klgqG78jsnqvT0pxT7yfhoQtKx+hE
qua/PRASNqr6TGxvTGVUcbcMecWPaBKLnvFBPZhMKYcqc0Tu/IOzCg/j2VI03cB0
D4nix+S+ZAHSjcje0g8SayW6CNd+D21/yn3viR1JvG1v+ptgLBEqeYm4UH1TJAKg
h/rGaB1ErOuaiVjhP2UC+g7A1JRA6UFMMXCTHi/8vMTRHFDEdjNrn6IIV/R+f+1Q
SXWojgWAoylt8ZoSLZSv0tcW92iT4l6pyr6x5GYpoDg6t8VU24HFUUcmm8home/g
h3wTHfEGuKvPfLyvGZjP0cQAlw9+PaHxM6fzOgtwZmWJ0iomLDKoJROJ6RcJJIql
CDPcVzxup5Vu7EBYPFG6GtaFTQu6BwsoUVI8Ownq6xBONuu651VyT92T+6YJfbj9
i0lfIZ/DfUY=
=9Rxl
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYByY4+NLKJtyKPYoAQiLog//eKXiA+VV+UYZiRiOtvmgLaXT+cO2+Q08
E9XQqSzD5EocGjfa+35+1v+lUKmUc4q1tnQ/zvZfWNufdcsFeK6LUzRfkx/SGarF
zxgYuxUzu1B3q456xm456uwVHwqwBVL+3Gq4EKVYgBLyCJyCOAnXqvroSgPSIX1z
cnLVD5gbHkDmh+Q6t7kXu4c0qs6i4To0ST7em4jVbKiMWWEauwH5vp+Kk6clQOVO
n0UnAwrGiTsLdBjFb0kM3FckfcofA68YxwGKBpQtVOvYalG+2wnASUfwe3Bi3z/q
xsoSMNVEwQh3/ZXT+ZwaddEr9jV3HiVqsDN1wyVKuE/T6qJT99a8aT2qri+rlafr
llHbLl3lihWXwrWMbmaSQQby7u1+30JHVeGrGivejyLHzyQt/s+7ONFrgALMi3oD
SxcyHr1S+0WshVk/MEMoGk3xenjwdP/oBq5YlTTSqf1bByLWLsE0qEmY1p9NbXSI
7nEBWf1d1KqrOhMeg5rGZ+UHQ4k7xejZcrYPD9527hTYacJzp/uQqpdf9Run1laD
yRbFg8faAPo7BsAFgy3pXRRcPhxjicWCXBgBcH5Ru1F+alfj+qUBbKwo183WyfIY
qiyWXHOMFgLCEdcWXyC/kYayzSJnQ9ht9c42Gjt4RypZxhNGuuXnrjB0O1HE3GSa
VJfCEDy/erk=
=l0D/
-----END PGP SIGNATURE-----