RHSA-2022:0350: Red Hat Security Advisory: nodejs:14 security, bug fix, and enhancement update

Skip to navigation Skip to main content

Utilities

• Subscriptions
• Downloads
• Containers
• Support Cases

Infrastructure and Management

• Red Hat Enterprise Linux
• Red Hat Virtualization
• Red Hat Identity Management
• Red Hat Directory Server
• Red Hat Certificate System
• Red Hat Satellite
• Red Hat Subscription Management
• Red Hat Update Infrastructure
• Red Hat Insights
• Red Hat Ansible Automation Platform

Cloud Computing

• Red Hat OpenShift
• Red Hat CloudForms
• Red Hat OpenStack Platform
• Red Hat OpenShift Container Platform
• Red Hat OpenShift Data Science
• Red Hat OpenShift Online
• Red Hat OpenShift Dedicated
• Red Hat Advanced Cluster Security for Kubernetes
• Red Hat Advanced Cluster Management for Kubernetes
• Red Hat Quay
• Red Hat CodeReady Workspaces
• Red Hat OpenShift Service on AWS

Storage

• Red Hat Gluster Storage
• Red Hat Hyperconverged Infrastructure
• Red Hat Ceph Storage
• Red Hat OpenShift Data Foundation

Runtimes

• Red Hat Runtimes
• Red Hat JBoss Enterprise Application Platform
• Red Hat Data Grid
• Red Hat JBoss Web Server
• Red Hat Single Sign On
• Red Hat support for Spring Boot
• Red Hat build of Node.js
• Red Hat build of Thorntail
• Red Hat build of Eclipse Vert.x
• Red Hat build of OpenJDK
• Red Hat build of Quarkus
• Red Hat CodeReady Studio

Integration and Automation

• Red Hat Process Automation
• Red Hat Process Automation Manager
• Red Hat Decision Manager

All Products

Issued:

2022-02-01

Updated:

2022-02-01

RHSA-2022:0350 - Security Advisory

• Overview
• Updated Packages

Synopsis

Moderate: nodejs:14 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (14.18.2), nodejs-nodemon (2.0.15). (BZ#2027609)

Security Fix(es):

• nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)
• nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)
• nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
• nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
• normalize-url: ReDoS for data URLs (CVE-2021-33502)
• nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701)
• nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712)
• llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)
• llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

• BZ - 1907444 - CVE-2020-7788 nodejs-ini: Prototype pollution via malicious INI file
• BZ - 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
• BZ - 1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs
• BZ - 1999731 - CVE-2021-37701 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
• BZ - 1999739 - CVE-2021-37712 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
• BZ - 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
• BZ - 2014057 - CVE-2021-22959 llhttp: HTTP Request Smuggling due to spaces in headers
• BZ - 2014059 - CVE-2021-22960 llhttp: HTTP Request Smuggling when parsing the body of chunked requests
• BZ - 2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability

CVEs

• CVE-2020-7788
• CVE-2020-28469
• CVE-2021-3807
• CVE-2021-3918
• CVE-2021-22959
• CVE-2021-22960
• CVE-2021-33502
• CVE-2021-37701
• CVE-2021-37712

Red Hat Enterprise Linux for x86_64 8

SRPM

nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd.src.rpm

SHA-256: bae263c6a1435686ff98fa02980c979034fa93449291e64790b86b1d82f92d80

nodejs-nodemon-2.0.15-1.module+el8.5.0+13504+a2e74d91.src.rpm

SHA-256: ce18a1447af58c9b3afbf530d3ef596aec4dd606e737d1c27bd4f0b23c7186f5

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

x86_64

nodejs-docs-14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch.rpm

SHA-256: b1aaa4bf6da1a4ee2e9278462d96aea4e8033f09f57eccf11c70f4c328a6131b

nodejs-nodemon-2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch.rpm

SHA-256: f7ca00565c89b3cdcfa076b8682ba0bfdb4f6e468150612e2af3fecdf4bd1f63

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpm

SHA-256: 158df31fc8a675ac245abde92a54c53ae827992a48292ca2b08094ccbab765e6

nodejs-debuginfo-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpm

SHA-256: 93813a389f629845fe0bed9584e2896c9fbaf257c0512e8dd82aea5c0fc2aef4

nodejs-debugsource-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpm

SHA-256: 0749a6178207aa771c28c9ff2cd136651fa7f2969a4ef8dd28028e2d7172930c

nodejs-devel-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpm

SHA-256: 7b144b2b6c45a982c79a4a863c62054e5f591ff7e606ca7a5302cd6002c201b5

nodejs-full-i18n-14.18.2-2.module+el8.5.0+13644+8d46dafd.x86_64.rpm

SHA-256: f0cd8ca0fe43df95c36ccb7f12786a6570e957dd3c67e55ecacb4c1a80d0905a

npm-6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.x86_64.rpm

SHA-256: d7ca6d8b5be3b5c6f5e358049d0cef3fad62995f18569a2b5c4457d9a715be5d

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd.src.rpm

SHA-256: bae263c6a1435686ff98fa02980c979034fa93449291e64790b86b1d82f92d80

nodejs-nodemon-2.0.15-1.module+el8.5.0+13504+a2e74d91.src.rpm

SHA-256: ce18a1447af58c9b3afbf530d3ef596aec4dd606e737d1c27bd4f0b23c7186f5

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

s390x

nodejs-docs-14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch.rpm

SHA-256: b1aaa4bf6da1a4ee2e9278462d96aea4e8033f09f57eccf11c70f4c328a6131b

nodejs-nodemon-2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch.rpm

SHA-256: f7ca00565c89b3cdcfa076b8682ba0bfdb4f6e468150612e2af3fecdf4bd1f63

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x.rpm

SHA-256: 24c2c2839e1b5236329fa1a7f2f72c76e123bd6459ae8263f0cf431d75be2655

nodejs-debuginfo-14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x.rpm

SHA-256: ae50b61a621b51782cd1ae203aeef2213b1a7aaa08fc789bbc624a648da9064f

nodejs-debugsource-14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x.rpm

SHA-256: 0606454b0172379299be987307b74d5fe1adfbbad1ec29b8414239499bb73e01

nodejs-devel-14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x.rpm

SHA-256: 089c013d3d388d566d6c029f429f74b9f0c4e897fd5b97a9e161121d6347d606

nodejs-full-i18n-14.18.2-2.module+el8.5.0+13644+8d46dafd.s390x.rpm

SHA-256: f8779f42dc59316b2d825c2125a144d10c257820064e7572f80263f6936b19f4

npm-6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.s390x.rpm

SHA-256: 803f5e06088f80b7e33e523e843b94be1651ac41970eefb037ecf6921ed6d595

Red Hat Enterprise Linux for Power, little endian 8

SRPM

nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd.src.rpm

SHA-256: bae263c6a1435686ff98fa02980c979034fa93449291e64790b86b1d82f92d80

nodejs-nodemon-2.0.15-1.module+el8.5.0+13504+a2e74d91.src.rpm

SHA-256: ce18a1447af58c9b3afbf530d3ef596aec4dd606e737d1c27bd4f0b23c7186f5

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

ppc64le

nodejs-docs-14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch.rpm

SHA-256: b1aaa4bf6da1a4ee2e9278462d96aea4e8033f09f57eccf11c70f4c328a6131b

nodejs-nodemon-2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch.rpm

SHA-256: f7ca00565c89b3cdcfa076b8682ba0bfdb4f6e468150612e2af3fecdf4bd1f63

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le.rpm

SHA-256: 6b6d73f8ab900d36643d1c010b288a3c02b84ff7890371c5031a6baa5f8bbb8f

nodejs-debuginfo-14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le.rpm

SHA-256: 78e981aecccaad8a59663f4ca638604a0e492a9eaa32941edf30aa6558d2c567

nodejs-debugsource-14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le.rpm

SHA-256: c90e7d317b2155668e0ce610d3984ce6afae0419149cb8bac3d455be8f554dda

nodejs-devel-14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le.rpm

SHA-256: 55f14e012fcdc0f019b31e91fae94e659d8108b9d7408c604bfd56c31b460329

nodejs-full-i18n-14.18.2-2.module+el8.5.0+13644+8d46dafd.ppc64le.rpm

SHA-256: 6041494cf558ccb09a82b1b259be3ac06c9600d0672503d76958049ecda7c438

npm-6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.ppc64le.rpm

SHA-256: 4ee9a73e29df229a7d768a7ca8c5c46c3aa42e3c3618793c1daef4c4795f23e6

Red Hat Enterprise Linux for ARM 64 8

SRPM

nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd.src.rpm

SHA-256: bae263c6a1435686ff98fa02980c979034fa93449291e64790b86b1d82f92d80

nodejs-nodemon-2.0.15-1.module+el8.5.0+13504+a2e74d91.src.rpm

SHA-256: ce18a1447af58c9b3afbf530d3ef596aec4dd606e737d1c27bd4f0b23c7186f5

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.src.rpm

SHA-256: 550d2f0197e4e69e9cfba813170d0fab3911749327f0c30db022424702287709

aarch64

nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64.rpm

SHA-256: 09ec3e900de3ffdfef0e4dad7bf5a78e5ec9ae3bb758972437933bd4e63fb7d4

nodejs-debuginfo-14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64.rpm

SHA-256: ca99bed0ad694ac59f2d8e21f29dab8a005b1e371c1ffff4ac50787a467a76d7

nodejs-debugsource-14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64.rpm

SHA-256: 115f2e669e09e9528b324b0c97274711f36d587cb1512479b98f4beaad365f06

nodejs-devel-14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64.rpm

SHA-256: 7df75bed6c3aa5eeab57455209837c12e44aabcc7ecebd3d4b0c6db64ea1b8d4

nodejs-docs-14.18.2-2.module+el8.5.0+13644+8d46dafd.noarch.rpm

SHA-256: b1aaa4bf6da1a4ee2e9278462d96aea4e8033f09f57eccf11c70f4c328a6131b

nodejs-full-i18n-14.18.2-2.module+el8.5.0+13644+8d46dafd.aarch64.rpm

SHA-256: d76deda6f9e71020697610ab2d69d7466a675713e3f7828f51b72ed61962c0a7

nodejs-nodemon-2.0.15-1.module+el8.5.0+13504+a2e74d91.noarch.rpm

SHA-256: f7ca00565c89b3cdcfa076b8682ba0bfdb4f6e468150612e2af3fecdf4bd1f63

nodejs-packaging-23-3.module+el8.3.0+6519+9f98ed83.noarch.rpm

SHA-256: d0ffb55491051b33ed7a0c9d1dfeb65ef76f367c9df1065140d0fa830091b169

npm-6.14.15-1.14.18.2.2.module+el8.5.0+13644+8d46dafd.aarch64.rpm

SHA-256: fabd93cfdfb9981f364a326b005ba580bcd04eddfbb6b7f6636245b69ef99c33

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.