Headline
CVE-2020-14354: [SECURITY] Fedora 33 Update: nodejs-14.15.1-1.fc33 - package-announce
A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2020-43d5a372fc 2020-12-13 02:07:36.430414 -------------------------------------------------------------------------------- Name : nodejs Product : Fedora 33 Version : 14.15.1 Release : 1.fc33 URL : http://nodejs.org/ Summary : JavaScript runtime Description : Node.js is a platform built on Chrome’s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. -------------------------------------------------------------------------------- Update Information: Update to 14.15.1 -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 2 2020 Stephen Gallagher <sgallagh(a)redhat.com> - 1:14.15.1-1 - Update to 14.15.1 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1846887 - CVE-2020-10531 nodejs: ICU: Integer overflow in UnicodeString::doAppend() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1846887 [ 2 ] Bug #1846892 - CVE-2020-10531 nodejs:14/nodejs: ICU: Integer overflow in UnicodeString::doAppend() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1846892 [ 3 ] Bug #1847485 - CVE-2020-11080 nodejs:14/nghttp2: overly large SETTINGS frames can lead to DoS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1847485 [ 4 ] Bug #1856877 - CVE-2020-15095 nodejs: npm: Sensitive information exposure through logs [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1856877 [ 5 ] Bug #1866840 - CVE-2020-14354 nodejs: c-ares: ares_destroy() with pending ares_getaddrinfo() leads to Use-After-Free [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1866840 [ 6 ] Bug #1879333 - CVE-2020-8251 nodejs: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1879333 [ 7 ] Bug #1879334 - CVE-2020-8251 nodejs:14/nodejs: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1879334 [ 8 ] Bug #1879336 - CVE-2020-8252 nodejs: libuv: buffer overflow in realpath [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1879336 [ 9 ] Bug #1879341 - CVE-2020-8201 nodejs: HTTP Request Smuggling due to CR-to-Hyphen conversion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1879341 [ 10 ] Bug #1879342 - CVE-2020-8252 nodejs:14/nodejs: libuv: buffer overflow in realpath [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1879342 [ 11 ] Bug #1879346 - CVE-2020-8201 nodejs:14/nodejs: HTTP Request Smuggling due to CR-to-Hyphen conversion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1879346 -------------------------------------------------------------------------------- This update can be installed with the “dnf” update program. Use su -c ‘dnf upgrade --advisory FEDORA-2020-43d5a372fc’ at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
Related news
Ubuntu Security Notice 6142-1 - Gal Goldshtein discovered that nghttp2 incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.
Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
Container-native virtualization release 2.3.0 is now available with updates to packages and images that fix several bugs and add enhancements.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-1701: virt-handler: virt-handler daemonset clusterroles allows retrieval of secrets * CVE-2020-1742: nmstate/kubernetes-nmstate-handler: /etc/passwd is given incorrect privileges
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.