Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0587 nodejs security and bug fix update 17 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nodejs:14 nodejs:10 nodejs:12 Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-15366 CVE-2020-15095 CVE-2020-8287 CVE-2020-8277 CVE-2020-8265 CVE-2020-8252 CVE-2020-8116 CVE-2020-7788 CVE-2020-7774 CVE-2020-7754 CVE-2020-7608 CVE-2019-10747 CVE-2019-10746 Reference: ASB-2021.0021 ESB-2021.0563 ESB-2021.0524 ESB-2021.0412 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:0551 https://access.redhat.com/errata/RHSA-2021:0548 https://access.redhat.com/errata/RHSA-2021:0549 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nodejs:14 security and bug fix update Advisory ID: RHSA-2021:0551-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0551 Issue date: 2021-02-16 CVE Names: CVE-2020-7754 CVE-2020-7774 CVE-2020-7788 CVE-2020-8265 CVE-2020-8277 CVE-2020-8287 CVE-2020-15366 ===================================================================== 1. Summary: An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (14.15.4). Security Fix(es): * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS (CVE-2020-8277) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * yarn install crashes with nodejs:14 on aarch64 (BZ#1916465) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function 1892430 - CVE-2020-7754 nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS 1898554 - CVE-2020-8277 c-ares: ares_parse_{a,aaaa}_reply() insufficient naddrttls validation DoS 1898680 - CVE-2020-7774 nodejs-y18n: prototype pollution vulnerability 1907444 - CVE-2020-7788 nodejs-ini: prototype pollution via malicious INI file 1912854 - CVE-2020-8265 nodejs: use-after-free in the TLS implementation 1912863 - CVE-2020-8287 nodejs: HTTP request smuggling via two copies of a header field in an http request 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: nodejs-14.15.4-2.module+el8.3.0+9635+ffdf8381.src.rpm nodejs-nodemon-2.0.3-1.module+el8.3.0+6519+9f98ed83.src.rpm nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm aarch64: nodejs-14.15.4-2.module+el8.3.0+9635+ffdf8381.aarch64.rpm nodejs-debuginfo-14.15.4-2.module+el8.3.0+9635+ffdf8381.aarch64.rpm nodejs-debugsource-14.15.4-2.module+el8.3.0+9635+ffdf8381.aarch64.rpm nodejs-devel-14.15.4-2.module+el8.3.0+9635+ffdf8381.aarch64.rpm nodejs-full-i18n-14.15.4-2.module+el8.3.0+9635+ffdf8381.aarch64.rpm npm-6.14.10-1.14.15.4.2.module+el8.3.0+9635+ffdf8381.aarch64.rpm noarch: nodejs-docs-14.15.4-2.module+el8.3.0+9635+ffdf8381.noarch.rpm nodejs-nodemon-2.0.3-1.module+el8.3.0+6519+9f98ed83.noarch.rpm nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm ppc64le: nodejs-14.15.4-2.module+el8.3.0+9635+ffdf8381.ppc64le.rpm nodejs-debuginfo-14.15.4-2.module+el8.3.0+9635+ffdf8381.ppc64le.rpm nodejs-debugsource-14.15.4-2.module+el8.3.0+9635+ffdf8381.ppc64le.rpm nodejs-devel-14.15.4-2.module+el8.3.0+9635+ffdf8381.ppc64le.rpm nodejs-full-i18n-14.15.4-2.module+el8.3.0+9635+ffdf8381.ppc64le.rpm npm-6.14.10-1.14.15.4.2.module+el8.3.0+9635+ffdf8381.ppc64le.rpm s390x: nodejs-14.15.4-2.module+el8.3.0+9635+ffdf8381.s390x.rpm nodejs-debuginfo-14.15.4-2.module+el8.3.0+9635+ffdf8381.s390x.rpm nodejs-debugsource-14.15.4-2.module+el8.3.0+9635+ffdf8381.s390x.rpm nodejs-devel-14.15.4-2.module+el8.3.0+9635+ffdf8381.s390x.rpm nodejs-full-i18n-14.15.4-2.module+el8.3.0+9635+ffdf8381.s390x.rpm npm-6.14.10-1.14.15.4.2.module+el8.3.0+9635+ffdf8381.s390x.rpm x86_64: nodejs-14.15.4-2.module+el8.3.0+9635+ffdf8381.x86_64.rpm nodejs-debuginfo-14.15.4-2.module+el8.3.0+9635+ffdf8381.x86_64.rpm nodejs-debugsource-14.15.4-2.module+el8.3.0+9635+ffdf8381.x86_64.rpm nodejs-devel-14.15.4-2.module+el8.3.0+9635+ffdf8381.x86_64.rpm nodejs-full-i18n-14.15.4-2.module+el8.3.0+9635+ffdf8381.x86_64.rpm npm-6.14.10-1.14.15.4.2.module+el8.3.0+9635+ffdf8381.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-7754 https://access.redhat.com/security/cve/CVE-2020-7774 https://access.redhat.com/security/cve/CVE-2020-7788 https://access.redhat.com/security/cve/CVE-2020-8265 https://access.redhat.com/security/cve/CVE-2020-8277 https://access.redhat.com/security/cve/CVE-2020-8287 https://access.redhat.com/security/cve/CVE-2020-15366 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYCva+NzjgjWX9erEAQiLcBAAgTmsqTnCWhsoUeUKkCkOyqNu9t32lFLg DkD2DjY3/fBMDB2fxwfCel1hFwEpgcycg4YnZrKVsbQ5M7GH9OG8hVJO28d8pcjR J2PshQusCOLg0gO1U5AfgHIIgC5vD2MaNEPNt2fm6LKvVnEClCqX2UlegsmfHczL E1mbxPkS0MLsOGmhr2r/nTuLsV63GnbNt4slfJCCReEADJ6ODj2U1rGpsyMncoH7 aymPE3uh7eNFVghmNU8SAXNVF0Me0icyIeb71baHDSiksmUIP/VGdwuybTQKUxWt wXq1Bn9PXYm1nBGQHsTmbp8ge+diYiEPJtsn2h+fwJqIOwTnlQ1DmqVN1l/F8jX2 kSa9HrSn69i3kaEdRXic8CoGxhvbkbyhWSvt7vuHThSCp6z64RfCw1nIibIQcl6j cgFT6v5/CjmoCiIk9PLyoQyC9doLkkXVp6Z2c0OuLglZO/pb3ho0K1XsX3o+sHcJ Euxx3M25vDuqeNXDLvuPs3gp9yw9UcsV/5YZW/Wz5vteAUKmnIdHohYj3fS9oW5e tYB79MdXp2idE0WNcaSysusoKMHZoKYZcHfT9zE9y6ezifpxu2FMrwwLV/SIGhqM /JvuCTIc58sqENrn1Pff+PsbAvdsLuNNlhgZ+MPxSX1YLJMLsa++FcYfvUxS+khp KRF/VFYabRM= =mOnb - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nodejs:10 security update Advisory ID: RHSA-2021:0548-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0548 Issue date: 2021-02-16 CVE Names: CVE-2020-7608 CVE-2020-7754 CVE-2020-7774 CVE-2020-7788 CVE-2020-8116 CVE-2020-8252 CVE-2020-8265 CVE-2020-8287 CVE-2020-15095 CVE-2020-15366 ===================================================================== 1. Summary: An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (10.23.1). Security Fix(es): * libuv: buffer overflow in realpath (CVE-2020-8252) * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-dot-prop: prototype pollution (CVE-2020-8116) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * npm: sensitive information exposure through logs (CVE-2020-15095) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability 1856875 - CVE-2020-15095 npm: sensitive information exposure through logs 1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function 1868196 - CVE-2020-8116 nodejs-dot-prop: prototype pollution 1879315 - CVE-2020-8252 libuv: buffer overflow in realpath 1892430 - CVE-2020-7754 nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS 1898680 - CVE-2020-7774 nodejs-y18n: prototype pollution vulnerability 1907444 - CVE-2020-7788 nodejs-ini: prototype pollution via malicious INI file 1912854 - CVE-2020-8265 nodejs: use-after-free in the TLS implementation 1912863 - CVE-2020-8287 nodejs: HTTP request smuggling via two copies of a header field in an http request 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: nodejs-10.23.1-1.module+el8.3.0+9502+012d8a97.src.rpm nodejs-nodemon-1.18.3-1.module+el8+2632+6c5111ed.src.rpm nodejs-packaging-17-3.module+el8+2873+aa7dfd9a.src.rpm aarch64: nodejs-10.23.1-1.module+el8.3.0+9502+012d8a97.aarch64.rpm nodejs-debuginfo-10.23.1-1.module+el8.3.0+9502+012d8a97.aarch64.rpm nodejs-debugsource-10.23.1-1.module+el8.3.0+9502+012d8a97.aarch64.rpm nodejs-devel-10.23.1-1.module+el8.3.0+9502+012d8a97.aarch64.rpm nodejs-full-i18n-10.23.1-1.module+el8.3.0+9502+012d8a97.aarch64.rpm npm-6.14.10-1.10.23.1.1.module+el8.3.0+9502+012d8a97.aarch64.rpm noarch: nodejs-docs-10.23.1-1.module+el8.3.0+9502+012d8a97.noarch.rpm nodejs-nodemon-1.18.3-1.module+el8+2632+6c5111ed.noarch.rpm nodejs-packaging-17-3.module+el8+2873+aa7dfd9a.noarch.rpm ppc64le: nodejs-10.23.1-1.module+el8.3.0+9502+012d8a97.ppc64le.rpm nodejs-debuginfo-10.23.1-1.module+el8.3.0+9502+012d8a97.ppc64le.rpm nodejs-debugsource-10.23.1-1.module+el8.3.0+9502+012d8a97.ppc64le.rpm nodejs-devel-10.23.1-1.module+el8.3.0+9502+012d8a97.ppc64le.rpm nodejs-full-i18n-10.23.1-1.module+el8.3.0+9502+012d8a97.ppc64le.rpm npm-6.14.10-1.10.23.1.1.module+el8.3.0+9502+012d8a97.ppc64le.rpm s390x: nodejs-10.23.1-1.module+el8.3.0+9502+012d8a97.s390x.rpm nodejs-debuginfo-10.23.1-1.module+el8.3.0+9502+012d8a97.s390x.rpm nodejs-debugsource-10.23.1-1.module+el8.3.0+9502+012d8a97.s390x.rpm nodejs-devel-10.23.1-1.module+el8.3.0+9502+012d8a97.s390x.rpm nodejs-full-i18n-10.23.1-1.module+el8.3.0+9502+012d8a97.s390x.rpm npm-6.14.10-1.10.23.1.1.module+el8.3.0+9502+012d8a97.s390x.rpm x86_64: nodejs-10.23.1-1.module+el8.3.0+9502+012d8a97.x86_64.rpm nodejs-debuginfo-10.23.1-1.module+el8.3.0+9502+012d8a97.x86_64.rpm nodejs-debugsource-10.23.1-1.module+el8.3.0+9502+012d8a97.x86_64.rpm nodejs-devel-10.23.1-1.module+el8.3.0+9502+012d8a97.x86_64.rpm nodejs-full-i18n-10.23.1-1.module+el8.3.0+9502+012d8a97.x86_64.rpm npm-6.14.10-1.10.23.1.1.module+el8.3.0+9502+012d8a97.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-7608 https://access.redhat.com/security/cve/CVE-2020-7754 https://access.redhat.com/security/cve/CVE-2020-7774 https://access.redhat.com/security/cve/CVE-2020-7788 https://access.redhat.com/security/cve/CVE-2020-8116 https://access.redhat.com/security/cve/CVE-2020-8252 https://access.redhat.com/security/cve/CVE-2020-8265 https://access.redhat.com/security/cve/CVE-2020-8287 https://access.redhat.com/security/cve/CVE-2020-15095 https://access.redhat.com/security/cve/CVE-2020-15366 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYCvbSdzjgjWX9erEAQgLgQ//f1un9etzPZo9BU3eMKS5MUvQ1iynZBHp qEp/YAG9hXbo8EOnvknCER+eE9SWBF4x3S0hm8tkgdIdKpNKHVuYDUXXlTwlEd/f KLzP0rp2FyP94PXRHLVFQLilHAI8q526Evac/T7Umj1o1kXaoYRcivUaCVU+jQeD gLoTFzHP02ZP0OnC/xRrKZJtUQMXbzuiTxAllyOtzVr1rzVEaYFp26gas36SrLZW nFsBWUTj5OYikwmCMlmY8w86c0CKJc1lvcwLlulYL/w16FIB4ExbRA0AChxQkAJA YcOICkPd00+LHvbGoQOugdqTPATTii1AZjFTYFWBiuG1KiLoG6lLglYaQ8FMuMi5 RCLAUXaI8t5KGhj0LvNvaRTseaSIIOy9LAOxuUxR5pFK4xHeafxSxjyMSWQjHEOb gVaeHCcAAF2P0anfLVW2BX2TWhRAeKX080SgFqsflQg3+Jy0cWTl3dF90J2Rgmtz OwdOSVw1+T8BBz7fPz0BahWWJcdIfj/OMhqtGpXB8W3GikQNFOVDdqNWWZUmjT3o 8shcpWIIedNypx+PDY0BmVsY7FLrHjV60amFBkMPwPx8F2V/XBU+RrEmeLAiGROz jl7muPbp3h+iqsEXjfgw2kLNL18WfqGVAdxZmTmbhs4cPdHZPx1fAbsao2f3PYm1 7C5EbJMyI4w= =7wo0 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nodejs:12 security update Advisory ID: RHSA-2021:0549-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0549 Issue date: 2021-02-16 CVE Names: CVE-2019-10746 CVE-2019-10747 CVE-2020-7754 CVE-2020-7788 CVE-2020-8265 CVE-2020-8287 ===================================================================== 1. Summary: An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.20.1), nodejs-nodemon (2.0.3). Security Fix(es): * nodejs-mixin-deep: prototype pollution in function mixin-deep (CVE-2019-10746) * nodejs-set-value: prototype pollution in function set-value (CVE-2019-10747) * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1795475 - CVE-2019-10746 nodejs-mixin-deep: prototype pollution in function mixin-deep 1795479 - CVE-2019-10747 nodejs-set-value: prototype pollution in function set-value 1892430 - CVE-2020-7754 nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS 1907444 - CVE-2020-7788 nodejs-ini: prototype pollution via malicious INI file 1912854 - CVE-2020-8265 nodejs: use-after-free in the TLS implementation 1912863 - CVE-2020-8287 nodejs: HTTP request smuggling via two copies of a header field in an http request 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: nodejs-12.20.1-1.module+el8.3.0+9503+19cb079c.src.rpm nodejs-nodemon-2.0.3-1.module+el8.3.0+9715+1718613f.src.rpm nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.src.rpm aarch64: nodejs-12.20.1-1.module+el8.3.0+9503+19cb079c.aarch64.rpm nodejs-debuginfo-12.20.1-1.module+el8.3.0+9503+19cb079c.aarch64.rpm nodejs-debugsource-12.20.1-1.module+el8.3.0+9503+19cb079c.aarch64.rpm nodejs-devel-12.20.1-1.module+el8.3.0+9503+19cb079c.aarch64.rpm nodejs-full-i18n-12.20.1-1.module+el8.3.0+9503+19cb079c.aarch64.rpm npm-6.14.10-1.12.20.1.1.module+el8.3.0+9503+19cb079c.aarch64.rpm noarch: nodejs-docs-12.20.1-1.module+el8.3.0+9503+19cb079c.noarch.rpm nodejs-nodemon-2.0.3-1.module+el8.3.0+9715+1718613f.noarch.rpm nodejs-packaging-17-3.module+el8.1.0+3369+37ae6a45.noarch.rpm ppc64le: nodejs-12.20.1-1.module+el8.3.0+9503+19cb079c.ppc64le.rpm nodejs-debuginfo-12.20.1-1.module+el8.3.0+9503+19cb079c.ppc64le.rpm nodejs-debugsource-12.20.1-1.module+el8.3.0+9503+19cb079c.ppc64le.rpm nodejs-devel-12.20.1-1.module+el8.3.0+9503+19cb079c.ppc64le.rpm nodejs-full-i18n-12.20.1-1.module+el8.3.0+9503+19cb079c.ppc64le.rpm npm-6.14.10-1.12.20.1.1.module+el8.3.0+9503+19cb079c.ppc64le.rpm s390x: nodejs-12.20.1-1.module+el8.3.0+9503+19cb079c.s390x.rpm nodejs-debuginfo-12.20.1-1.module+el8.3.0+9503+19cb079c.s390x.rpm nodejs-debugsource-12.20.1-1.module+el8.3.0+9503+19cb079c.s390x.rpm nodejs-devel-12.20.1-1.module+el8.3.0+9503+19cb079c.s390x.rpm nodejs-full-i18n-12.20.1-1.module+el8.3.0+9503+19cb079c.s390x.rpm npm-6.14.10-1.12.20.1.1.module+el8.3.0+9503+19cb079c.s390x.rpm x86_64: nodejs-12.20.1-1.module+el8.3.0+9503+19cb079c.x86_64.rpm nodejs-debuginfo-12.20.1-1.module+el8.3.0+9503+19cb079c.x86_64.rpm nodejs-debugsource-12.20.1-1.module+el8.3.0+9503+19cb079c.x86_64.rpm nodejs-devel-12.20.1-1.module+el8.3.0+9503+19cb079c.x86_64.rpm nodejs-full-i18n-12.20.1-1.module+el8.3.0+9503+19cb079c.x86_64.rpm npm-6.14.10-1.12.20.1.1.module+el8.3.0+9503+19cb079c.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10746 https://access.redhat.com/security/cve/CVE-2019-10747 https://access.redhat.com/security/cve/CVE-2020-7754 https://access.redhat.com/security/cve/CVE-2020-7788 https://access.redhat.com/security/cve/CVE-2020-8265 https://access.redhat.com/security/cve/CVE-2020-8287 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYCvbd9zjgjWX9erEAQjDNxAAgGr9ACtVc9QgUmYjV2HXYcCnjs7IaC7t DCasMPfhgLJzGq5JvQyyh4PGDOkQOKYj4nPHLKDmmjnMltXW2c3GE9/So1C4VkIn 8AnLbehRB90jBn+PjKKmkx2NR+7bxQJ/qOU2H2d2MFokq6ivEU0J7zIV1Si9MVuE TuXJeRtZiIkcGeIR08Iple5J512bgsuO/Kt0FGjASpQn76lS9yiH7Cl9jdvawaYy vZ9BpGeYsZaxrQl3Qo+R+vIMuzMfkIzsr0fjK+Tvrf7DdZqKFNfZmYXXdSND08h2 Im3s5RvX+zWEQu3qDxDwP9d+d7JeIphAaaabgRmc8tVGyGV88jrgW3UAeEOCFXVc AGYPpT1tErNVcMCkMfskL4JUEkFI1QqBisICOAw0+APaVe3Rd5U1/ovgPx+0tZ1o 7tWAZhSH5VZa16WIl4HjbJmBelqHWE/BoetMxPVYURiLVHhb+shY5Y6GESd7N/ee wUErIfEL7Wtx2xePZp2n+N7jk5z7yndYWuk113GQ6Q15Qin1KMP7wDq4x43KUq6R uIqo0UQ8pHAs6s40FcucrnyAHCaFaNAZ8SaSzSDaYQGw00Lhy8ciJJvXl59nGvwI hq9COD8VoDkDDkyq/0j7ExtTYPtmRiTa7gxHgdMY5WdZHO94EuyAmwxJ0JXSI+KH OXpbVTkGsPs= =nqeM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYCy2deNLKJtyKPYoAQj+kg//ZJbMqFK02QZidAMj9WUW9hjb7CvRSUws 4Li/WG7NcPf8i6KSZCImquma4XqZkqfFfYByt3WjoUkRrC6oVenGd2ARmsvl4eQP M43o5GXTdhkFJsaeNeujHvGYXxHVKeSbqMrRI3oveSWmVDyxQ5nA4txZ/raDOlT9 kfgdZ3p9kYDbVfWOdNYuMQtKKlxXFRpH1IERY8y5SmlWLjw1IucbvPZ4F5wD9R8F gaSZePYYPBvsZQPmDBei1svsRUZ7ixawohq6z5F7MrgjaDMuhoxPd2wCG78h42nc INgEWkGO75cTI78ozvYrRktKhAzW0LucEQXJ95fKOsHE8EAAHETBlairSLvCQWlx WgvIsyq71b1WLefUAJcIKxFep/36vN6gGFTmpXq62KpnaOz1DI0fbA4pCsY9kB9i u8lb6MV0fbN/BGiXQvLkABG3pLReACb2slYF1ym/SANWRVl87Qtu+ckqY5flT6LM QqTJkOauy2nOk6Zu4aVYXXeSgPhyMQk+/JO6uVud5siNhxjHEiqzbyk3v4mCFmDy oGx3QX38WnyyXWwMl3GUvUGP1hmysFprVeyOp9lIsTWyVFf5yfX+4rXiqiT0GEWM 3ArZQRxAhKhRunUL3FgYgowIa7Etk0G7vhkcbLJCnr8EHBsGB3hC+CuXVS9GzzMK aVtxctb76e8= =ffT4 -----END PGP SIGNATURE-----