Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:4537: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-30581: No description is available for this CVE.
  • CVE-2023-30588: No description is available for this CVE.
  • CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20
  • CVE-2023-30590: No description is available for this CVE.
Red Hat Security Data
#vulnerability#linux#red_hat#nodejs#js#java#ibm#sap

Synopsis

Moderate: nodejs:16 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The package has been upgraded to a later upstream version: nodejs (16.20.1). (BZ#2223678, BZ#2223680, BZ#2223682, BZ#2223684, BZ#2223686, BZ#2223688)

Security Fix(es):

  • nodejs: mainModule.proto bypass experimental policy mechanism (CVE-2023-30581)
  • nodejs: process interuption due to invalid Public Key information in x509 certificates (CVE-2023-30588)
  • nodejs: HTTP Request Smuggling via Empty headers separated by CR (CVE-2023-30589)
  • nodejs: DiffieHellman do not generate keys after setting a private key (CVE-2023-30590)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.8 x86_64
  • Red Hat Enterprise Linux for ARM 64 8 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64

Fixes

  • BZ - 2219824 - CVE-2023-30581 nodejs: mainModule.proto bypass experimental policy mechanism
  • BZ - 2219838 - CVE-2023-30588 nodejs: process interuption due to invalid Public Key information in x509 certificates
  • BZ - 2219841 - CVE-2023-30589 nodejs: HTTP Request Smuggling via Empty headers separated by CR
  • BZ - 2219842 - CVE-2023-30590 nodejs: DiffieHellman do not generate keys after setting a private key
  • BZ - 2223678 - nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-8] [rhel-8.8.0.z]
  • BZ - 2223688 - nodejs:16/nodejs: Remove /usr/etc/npmrc softlink. [rhel-8] [rhel-8.8.0.z]

CVEs

  • CVE-2023-30581
  • CVE-2023-30588
  • CVE-2023-30589
  • CVE-2023-30590

Red Hat Enterprise Linux for x86_64 8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

x86_64

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: e9e79bda8b1d386244f2589455e25e31c7dc493d1619350e45eabe06d06edb13

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 9561d2b9e83960a268fa4732f7343f8ba19ae4eaecf58686227790e844095f40

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: c7cffed54df160651e87d6866e17f2bfd07a73303439e111c9da07e0101403b8

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 882948bcac62e63a12dd096f09bc7d78781f46b121ab32b5d1ddb5df2f3cf7e7

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 0380f42fc31e820c4ebbae6ce40fae00e4fe7036dac9a1d2f9f27f7c0a22e936

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 8e2e1334071916a6e169970669b43e0be6dd5e7fd82dd3d9d874a2045dcb0811

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

x86_64

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: e9e79bda8b1d386244f2589455e25e31c7dc493d1619350e45eabe06d06edb13

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 9561d2b9e83960a268fa4732f7343f8ba19ae4eaecf58686227790e844095f40

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: c7cffed54df160651e87d6866e17f2bfd07a73303439e111c9da07e0101403b8

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 882948bcac62e63a12dd096f09bc7d78781f46b121ab32b5d1ddb5df2f3cf7e7

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 0380f42fc31e820c4ebbae6ce40fae00e4fe7036dac9a1d2f9f27f7c0a22e936

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 8e2e1334071916a6e169970669b43e0be6dd5e7fd82dd3d9d874a2045dcb0811

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

s390x

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: 2f3b7b865a34949286ad575627d9cb1d008e649406336562368a40f94777beee

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: eb7356675e65917160781f32decd94d3ce1f7b21a7fde3cfdb46ef8a8945c60f

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: 43aae655591fbedc8a240f1bb1351c23c6446200ce179b37641ce7954a7a6c89

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: 4a637c1028ea3eec0f430f15e7d416c7e66906cabb3d14956a777411d8a451a0

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: cd7c930eefb4f915ddc275909b5df9366c4354f6e7804dd81d6f0b38670c169d

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: b0189a197554624c1012c135fc65e88271f284264360ba5bbd7c7f935a972ad4

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

s390x

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: 2f3b7b865a34949286ad575627d9cb1d008e649406336562368a40f94777beee

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: eb7356675e65917160781f32decd94d3ce1f7b21a7fde3cfdb46ef8a8945c60f

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: 43aae655591fbedc8a240f1bb1351c23c6446200ce179b37641ce7954a7a6c89

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: 4a637c1028ea3eec0f430f15e7d416c7e66906cabb3d14956a777411d8a451a0

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: cd7c930eefb4f915ddc275909b5df9366c4354f6e7804dd81d6f0b38670c169d

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.s390x.rpm

SHA-256: b0189a197554624c1012c135fc65e88271f284264360ba5bbd7c7f935a972ad4

Red Hat Enterprise Linux for Power, little endian 8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

ppc64le

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: ebffe6a91519247e56c9dc7af0e177c5184262aa9b8246e909de7935aff7f3b7

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 6ca3c3a4beeaf723245bd76d42e1a6b6574ffd21ca933a9cb0044c4a389faaa8

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 13abe10c30897e3e8546378edf2c2e36901ad9c580c988575a8bf68b0909073f

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: a88928af54002c99ffc0e69474c812d3f7d7663ae3a9c889ce4b5eff44d309da

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 9ed75b355807f58d6e6cdfed23bee4e35a2e0bd8cc2d6ffde2533ba99b78e1dc

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 8e301eb4921dc5e900601017c6612d84d966a954c537dce239404b1d0410a657

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

ppc64le

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: ebffe6a91519247e56c9dc7af0e177c5184262aa9b8246e909de7935aff7f3b7

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 6ca3c3a4beeaf723245bd76d42e1a6b6574ffd21ca933a9cb0044c4a389faaa8

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 13abe10c30897e3e8546378edf2c2e36901ad9c580c988575a8bf68b0909073f

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: a88928af54002c99ffc0e69474c812d3f7d7663ae3a9c889ce4b5eff44d309da

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 9ed75b355807f58d6e6cdfed23bee4e35a2e0bd8cc2d6ffde2533ba99b78e1dc

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 8e301eb4921dc5e900601017c6612d84d966a954c537dce239404b1d0410a657

Red Hat Enterprise Linux Server - TUS 8.8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

x86_64

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: e9e79bda8b1d386244f2589455e25e31c7dc493d1619350e45eabe06d06edb13

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 9561d2b9e83960a268fa4732f7343f8ba19ae4eaecf58686227790e844095f40

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: c7cffed54df160651e87d6866e17f2bfd07a73303439e111c9da07e0101403b8

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 882948bcac62e63a12dd096f09bc7d78781f46b121ab32b5d1ddb5df2f3cf7e7

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 0380f42fc31e820c4ebbae6ce40fae00e4fe7036dac9a1d2f9f27f7c0a22e936

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 8e2e1334071916a6e169970669b43e0be6dd5e7fd82dd3d9d874a2045dcb0811

Red Hat Enterprise Linux for ARM 64 8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

aarch64

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: 31f7ced5f28cf5a7b0ae422b071c5d5aa14a22ff02bc6485b6dae5787076ef25

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: 4463052d10459a777f6e942ccd0d17785187154a91fc3e5696c010b7241177d1

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: d99a5bb7d02d82958ca9870d8bcaaab8333e4e9dd0d8b4d8465ea516cde053a2

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: b6585106519b300a06543d7fb642e3e3f39a4c978d4270b3f0a8162d9367cef8

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: 1208635863ee58f4b8ed56ef7044a311acb47a3d82edecda6dd7bb15d514da0d

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: 7a26fc18988e8d3abf8437904b7f39f8bca72c575030f947cbbf4f47197c2109

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

aarch64

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: 31f7ced5f28cf5a7b0ae422b071c5d5aa14a22ff02bc6485b6dae5787076ef25

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: 4463052d10459a777f6e942ccd0d17785187154a91fc3e5696c010b7241177d1

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: d99a5bb7d02d82958ca9870d8bcaaab8333e4e9dd0d8b4d8465ea516cde053a2

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: b6585106519b300a06543d7fb642e3e3f39a4c978d4270b3f0a8162d9367cef8

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: 1208635863ee58f4b8ed56ef7044a311acb47a3d82edecda6dd7bb15d514da0d

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.aarch64.rpm

SHA-256: 7a26fc18988e8d3abf8437904b7f39f8bca72c575030f947cbbf4f47197c2109

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

ppc64le

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: ebffe6a91519247e56c9dc7af0e177c5184262aa9b8246e909de7935aff7f3b7

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 6ca3c3a4beeaf723245bd76d42e1a6b6574ffd21ca933a9cb0044c4a389faaa8

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 13abe10c30897e3e8546378edf2c2e36901ad9c580c988575a8bf68b0909073f

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: a88928af54002c99ffc0e69474c812d3f7d7663ae3a9c889ce4b5eff44d309da

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 9ed75b355807f58d6e6cdfed23bee4e35a2e0bd8cc2d6ffde2533ba99b78e1dc

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.ppc64le.rpm

SHA-256: 8e301eb4921dc5e900601017c6612d84d966a954c537dce239404b1d0410a657

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8

SRPM

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.src.rpm

SHA-256: 3a9877c58d25e1a4e2e5a4b28aee27425f7d28cc849468e086fcd970f187115f

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.src.rpm

SHA-256: 46124aea68099f2271bfc5470c1f5df43bc7ee2344b5cc26d46236b2ffba8161

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

x86_64

nodejs-docs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.noarch.rpm

SHA-256: f28c28af61ef648ddd43b0304b8a46a7b9b8401e0e88002e20781980c0a306d8

nodejs-nodemon-2.0.20-3.module+el8.8.0+19038+6f60344f.noarch.rpm

SHA-256: ff0844eb3b77b43bde310cac1f8a5cfcea3770f2b1fc59f4179f962aba51cd0a

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: e9e79bda8b1d386244f2589455e25e31c7dc493d1619350e45eabe06d06edb13

nodejs-debuginfo-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 9561d2b9e83960a268fa4732f7343f8ba19ae4eaecf58686227790e844095f40

nodejs-debugsource-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: c7cffed54df160651e87d6866e17f2bfd07a73303439e111c9da07e0101403b8

nodejs-devel-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 882948bcac62e63a12dd096f09bc7d78781f46b121ab32b5d1ddb5df2f3cf7e7

nodejs-full-i18n-16.20.1-1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 0380f42fc31e820c4ebbae6ce40fae00e4fe7036dac9a1d2f9f27f7c0a22e936

npm-8.19.4-1.16.20.1.1.module+el8.8.0+19440+ee8dbee5.x86_64.rpm

SHA-256: 8e2e1334071916a6e169970669b43e0be6dd5e7fd82dd3d9d874a2045dcb0811

Related news

Gentoo Linux Security Advisory 202405-29

Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.

Ubuntu Security Notice USN-6735-1

Ubuntu Security Notice 6735-1 - It was discovered that Node.js incorrectly handled the use of invalid public keys while creating an x509 certificate. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Node.js incorrectly handled the use of CRLF sequences to delimit HTTP requests. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain unauthorised access. This issue only affected Ubuntu 23.10.

CVE-2023-48660: DSA-2023-443: Dell PowerMaxOS 5978, Dell Unisphere 360, Dell Unisphere for PowerMax, Dell Unisphere for PowerMax Virtual Appliance, Dell Solutions Enabler Virtual Appliance, and Dell PowerMax EEM Secu

Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.

CVE-2023-30581: Tuesday June 20 2023 Security Releases | Node.js

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

CVE-2023-38735: Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 262482.

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Red Hat Security Advisory 2023-5533-01

Red Hat Security Advisory 2023-5533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling, buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

RHSA-2023:5533: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2022-25881: A flaw was found in http-cache-se...

Red Hat Security Advisory 2023-5361-01

Red Hat Security Advisory 2023-5361-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, bypass, and denial of service vulnerabilities.

RHSA-2023:5361: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting ...

Red Hat Security Advisory 2023-4536-01

Red Hat Security Advisory 2023-4536-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4536-01

Red Hat Security Advisory 2023-4536-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4536-01

Red Hat Security Advisory 2023-4536-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4536-01

Red Hat Security Advisory 2023-4536-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4537-01

Red Hat Security Advisory 2023-4537-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4537-01

Red Hat Security Advisory 2023-4537-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4537-01

Red Hat Security Advisory 2023-4537-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4537-01

Red Hat Security Advisory 2023-4537-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

RHSA-2023:4536: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

Red Hat Security Advisory 2023-4330-01

Red Hat Security Advisory 2023-4330-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4330-01

Red Hat Security Advisory 2023-4330-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4330-01

Red Hat Security Advisory 2023-4330-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4330-01

Red Hat Security Advisory 2023-4330-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4331-01

Red Hat Security Advisory 2023-4331-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4331-01

Red Hat Security Advisory 2023-4331-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4331-01

Red Hat Security Advisory 2023-4331-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4331-01

Red Hat Security Advisory 2023-4331-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

RHSA-2023:4331: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP hea...

RHSA-2023:4331: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP hea...

RHSA-2023:4331: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP hea...

RHSA-2023:4331: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP hea...

CVE-2023-37276: aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20