Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0524
rh-nodejs12-nodejs security update
12 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: rh-nodejs12-nodejs
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Denial of Service -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-8287 CVE-2020-8265 CVE-2020-7788
CVE-2020-7754 CVE-2019-10747 CVE-2019-10746
Reference: ESB-2021.0311
ESB-2021.0159
ESB-2020.4518
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:0485
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: rh-nodejs12-nodejs security update
Advisory ID: RHSA-2021:0485-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0485
Issue date: 2021-02-11
CVE Names: CVE-2019-10746 CVE-2019-10747 CVE-2020-7754
CVE-2020-7788 CVE-2020-8265 CVE-2020-8287
=====================================================================
1. Summary:
An update for rh-nodejs12-nodejs is now available for Red Hat Software
Collections.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch, ppc64le, s390x, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
3. Description:
Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.
The following packages have been upgraded to a later upstream version:
rh-nodejs12-nodejs (12.20.1), rh-nodejs12-nodejs-nodemon (2.0.3).
Security Fix(es):
* nodejs-mixin-deep: prototype pollution in function mixin-deep
(CVE-2019-10746)
* nodejs-set-value: prototype pollution in function set-value
(CVE-2019-10747)
* nodejs-npm-user-validate: improper input validation when validating user
emails leads to ReDoS (CVE-2020-7754)
* nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788)
* nodejs: use-after-free in the TLS implementation (CVE-2020-8265)
* nodejs: HTTP request smuggling via two copies of a header field in an
http request (CVE-2020-8287)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1795475 - CVE-2019-10746 nodejs-mixin-deep: prototype pollution in function mixin-deep
1795479 - CVE-2019-10747 nodejs-set-value: prototype pollution in function set-value
1892430 - CVE-2020-7754 nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS
1907444 - CVE-2020-7788 nodejs-ini: prototype pollution via malicious INI file
1912854 - CVE-2020-8265 nodejs: use-after-free in the TLS implementation
1912863 - CVE-2020-8287 nodejs: HTTP request smuggling via two copies of a header field in an http request
6. Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source:
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm
noarch:
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm
ppc64le:
rh-nodejs12-nodejs-12.20.1-1.el7.ppc64le.rpm
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.ppc64le.rpm
rh-nodejs12-nodejs-devel-12.20.1-1.el7.ppc64le.rpm
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.ppc64le.rpm
s390x:
rh-nodejs12-nodejs-12.20.1-1.el7.s390x.rpm
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.s390x.rpm
rh-nodejs12-nodejs-devel-12.20.1-1.el7.s390x.rpm
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.s390x.rpm
x86_64:
rh-nodejs12-nodejs-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-nodejs-devel-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):
Source:
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm
noarch:
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm
ppc64le:
rh-nodejs12-nodejs-12.20.1-1.el7.ppc64le.rpm
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.ppc64le.rpm
rh-nodejs12-nodejs-devel-12.20.1-1.el7.ppc64le.rpm
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.ppc64le.rpm
s390x:
rh-nodejs12-nodejs-12.20.1-1.el7.s390x.rpm
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.s390x.rpm
rh-nodejs12-nodejs-devel-12.20.1-1.el7.s390x.rpm
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.s390x.rpm
x86_64:
rh-nodejs12-nodejs-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-nodejs-devel-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):
Source:
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm
noarch:
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm
ppc64le:
rh-nodejs12-nodejs-12.20.1-1.el7.ppc64le.rpm
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.ppc64le.rpm
rh-nodejs12-nodejs-devel-12.20.1-1.el7.ppc64le.rpm
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.ppc64le.rpm
s390x:
rh-nodejs12-nodejs-12.20.1-1.el7.s390x.rpm
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.s390x.rpm
rh-nodejs12-nodejs-devel-12.20.1-1.el7.s390x.rpm
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.s390x.rpm
x86_64:
rh-nodejs12-nodejs-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-nodejs-devel-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source:
rh-nodejs12-nodejs-12.20.1-1.el7.src.rpm
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.src.rpm
noarch:
rh-nodejs12-nodejs-docs-12.20.1-1.el7.noarch.rpm
rh-nodejs12-nodejs-nodemon-2.0.3-1.el7.noarch.rpm
x86_64:
rh-nodejs12-nodejs-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-nodejs-debuginfo-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-nodejs-devel-12.20.1-1.el7.x86_64.rpm
rh-nodejs12-npm-6.14.10-12.20.1.1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-10746
https://access.redhat.com/security/cve/CVE-2019-10747
https://access.redhat.com/security/cve/CVE-2020-7754
https://access.redhat.com/security/cve/CVE-2020-7788
https://access.redhat.com/security/cve/CVE-2020-8265
https://access.redhat.com/security/cve/CVE-2020-8287
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYCUzDtzjgjWX9erEAQhN8Q/9EYy3XsHB2t/o5ed93d1atPwU/EktPG+8
suqXWP4XMzRkPSSMFIEnLzeU+KcCAX9h8J7eZ/lVDDY0tcHbbxoJGwh3ihF7ie54
f3yVAMJ4JSx1jITUlBKnssCsMypQHyVkToIZg5VV1XfYaBJtfYUzLWG8dssshKZL
WrZQtgJRzfspzBObAD/0dDKiaphRqISSkLyfx3mox+/WOGmlF7WoGeJn4f0FNVsq
lS46Uhj4MjYuxT/o6K6PDXB8w8AYzrPwppolbAWg0r+j4WhabRwTeEaIqbLKE/26
jTWFnzZfpu7IUg0z7oiL0gfrjYa4KH+3syMmqcxmDLWFIyPQuvuFujTaePOMHF7Z
D3fhiFVYxlFoRezMEIRJ/c7ugAUBJFKoIYSGzvIFm6dl5iBh9vwD9K3RZsLNj870
WMAgA7FWzauzrQ6N2OYKPn8D//6ME6gMKZshSIASMvzcKcbG1AQY6QNNzOx8BSun
IPRdzLTHeSu8dHQ9yVhe3PXaY9eNWXFMQc+YAJ7ubEAOtQFR8ziVMiZoqWPHvjo5
M98ij3CfdA+UoPDV9iXIG0xJjiYDYiNEj0Gfpco+nCIBmRViOleP8aA6bWqz6PrT
gHjaKM6cMiM4TGwugStTrgeQGae9lGmQ2XMCqiIYbNCkXxw2mOejFGygiyMcIome
3vhkxWp4im8=
=t0oj
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYCXvsuNLKJtyKPYoAQjrzA//cXRhPNcszs05DKToJ3/LMkJVbIxBvjKc
QZBPpWMe7k4jWLjkOoKpAiponaq+VIojoghv9INBsqTeHLqBqL7jBqvrhfecRGHO
bK9o8aRxIL10dIjt+XFh+HqH8KDzkgnXFAT5d9O+DNaqVaN/mppqu9Ve5U4DRbCx
cl05jWLuSxM/wEs4uWQKKsKyl2rbX00IYvHZJb11ITY4jbKA5JoQDxnfYJKfkTVe
W6QBvmESBd7Ni7aYR2LYYJJKOTY2fT+qJ0Q+QTXh/Fj7g7DeBuqigX5aLEVSYK1R
FdRrn+Vu5KZZ3UR7Q/ZAGMhue9bG4x/+j2VvZ3ssXogQJCiCdyzohXVKGlyUGcw4
nRnDIjqvGAvpgZvYxIpeHZTp3bKlhSl6xiiGkfM0c2KVV0NUDKDsFSirB0HVKjos
vPQWvQo5gsjpksk/fmL3BZdqR60AXarh6Coc9XzaTe3XfySLPbDLdTYzPEjlXTf5
Hmzj1oVfF2etfmfwTIWY5SXb3y8yFPcJoCuEjhG1TnzXYp2GSL2RjchXui2xXoIj
1FZSd40z7AWoiIOZKSJ1C8c0zaVRCP/gHiBLoEqxpf7vXbt6w//62QfoDVC8CgTh
CzdPV3e4IkLks6/weA8VwaPp6vxfoaNH0Al+uHVg+v+ohJPHgz1ldV4+L81Qr5Xt
Xo2lzCt4g7M=
=hgPc
-----END PGP SIGNATURE-----