Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:5361: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the ‘new Range’ function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service.
  • CVE-2023-30581: A vulnerability has been discovered in Node.js, where the use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition.
  • CVE-2023-30588: A vulnerability has been identified in the Node.js, where an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current context of the users will be gone, and that will cause a DoS scenario.
  • CVE-2023-30589: A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
  • CVE-2023-30590: A vulnerability has been identified in the Node.js, where a generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet.
  • CVE-2023-32002: A vulnerability was found in NodeJS. This security issue occurs as the use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
  • CVE-2023-32006: A vulnerability was found in NodeJS. This security issue occurs as the use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
  • CVE-2023-32559: A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding(‘spawn_sync’) to run arbitrary code outside of the limits defined in a policy.json file.
Red Hat Security Data
#vulnerability#linux#red_hat#dos#nodejs#js#java#ibm#sap

Synopsis

Important: nodejs:16 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (16). (BZ#2223679, BZ#2223681, BZ#2223683, BZ#2223685, BZ#2223687, BZ#2233892)

Security Fix(es):

  • nodejs: Permissions policies can be bypassed via Module._load (CVE-2023-32002)
  • nodejs-semver: Regular expression denial of service (CVE-2022-25883)
  • nodejs: mainModule.proto bypass experimental policy mechanism (CVE-2023-30581)
  • nodejs: process interuption due to invalid Public Key information in x509 certificates (CVE-2023-30588)
  • nodejs: HTTP Request Smuggling via Empty headers separated by CR (CVE-2023-30589)
  • nodejs: DiffieHellman do not generate keys after setting a private key (CVE-2023-30590)
  • nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire() (CVE-2023-32006)
  • nodejs: Permissions policies can be bypassed via process.binding (CVE-2023-32559)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • nodejs:16/nodejs: nodejs.prov doesn’t generate the bundled dependency for modules starting @ like @colors/colors (BZ#2237395)

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.6 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.6 x86_64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64

Fixes

  • BZ - 2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service
  • BZ - 2219824 - CVE-2023-30581 nodejs: mainModule.proto bypass experimental policy mechanism
  • BZ - 2219838 - CVE-2023-30588 nodejs: process interuption due to invalid Public Key information in x509 certificates
  • BZ - 2219841 - CVE-2023-30589 nodejs: HTTP Request Smuggling via Empty headers separated by CR
  • BZ - 2219842 - CVE-2023-30590 nodejs: DiffieHellman do not generate keys after setting a private key
  • BZ - 2223679 - nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-8] [rhel-8.6.0.z]
  • BZ - 2230948 - CVE-2023-32002 nodejs: Permissions policies can be bypassed via Module._load
  • BZ - 2230955 - CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()
  • BZ - 2230956 - CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding
  • BZ - 2233892 - nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-8] [rhel-8.6.0.z]
  • BZ - 2237395 - nodejs:16/nodejs: nodejs.prov doesn’t generate the bundled dependency for modules starting @ like @colors/colors [rhel-8.6.0.z]

CVEs

  • CVE-2022-25883
  • CVE-2023-30581
  • CVE-2023-30588
  • CVE-2023-30589
  • CVE-2023-30590
  • CVE-2023-32002
  • CVE-2023-32006
  • CVE-2023-32559

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6

SRPM

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.src.rpm

SHA-256: bab0c1172f7d21a383dae847459b106c31f0713addeb8d36d74d9b2227d130cb

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.src.rpm

SHA-256: ba93470ef2926528470de1d3c52bbbf90e2616adca0c4282b260fd3296f24ede

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.src.rpm

SHA-256: 3eb91afb610538479089597bda2f7775668b51bd835a9319a229017fb020ce26

x86_64

nodejs-docs-16.20.2-2.module+el8.6.0+19897+9590a839.noarch.rpm

SHA-256: 555b219eea777fb8003e102245391a343de30788e80fc9a516289f28e6ded08a

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.noarch.rpm

SHA-256: 5d08dc893f368dedb40ea881887a24045855d98adbecde718dd20dd394884ccf

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.noarch.rpm

SHA-256: b5e40bbee4590af989f1eacdc36cfdb44a3e2007ce7091d140b6a0c3770c289c

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 15fa324758b96cb7ead2430e4f6a8b212a5015280e10a2651960ea44074ca38b

nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 418402f0d13d2e70fe18dd371d0aa36d84d9018cd47b66bd32df0bfc03e4c713

nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 1021731a0a5ef8e148cb315d4d7d5cdc4061666b30fdb26ba18614c413deb401

nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 974b1be69b61a0017abd8ab2ce7941f30ee7c788cdef488aa7a92ec45bff07ce

nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: d22e4d82fcb6886a90eeb16d409c5f42c2adc560b6c62321967b0ab4092affc4

npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 86d767ce3eeb52d3fd0f17b2b11e70381127b14919bfa043988d8bb5f7978854

Red Hat Enterprise Linux Server - AUS 8.6

SRPM

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.src.rpm

SHA-256: bab0c1172f7d21a383dae847459b106c31f0713addeb8d36d74d9b2227d130cb

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.src.rpm

SHA-256: ba93470ef2926528470de1d3c52bbbf90e2616adca0c4282b260fd3296f24ede

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.src.rpm

SHA-256: 3eb91afb610538479089597bda2f7775668b51bd835a9319a229017fb020ce26

x86_64

nodejs-docs-16.20.2-2.module+el8.6.0+19897+9590a839.noarch.rpm

SHA-256: 555b219eea777fb8003e102245391a343de30788e80fc9a516289f28e6ded08a

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.noarch.rpm

SHA-256: 5d08dc893f368dedb40ea881887a24045855d98adbecde718dd20dd394884ccf

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.noarch.rpm

SHA-256: b5e40bbee4590af989f1eacdc36cfdb44a3e2007ce7091d140b6a0c3770c289c

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 15fa324758b96cb7ead2430e4f6a8b212a5015280e10a2651960ea44074ca38b

nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 418402f0d13d2e70fe18dd371d0aa36d84d9018cd47b66bd32df0bfc03e4c713

nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 1021731a0a5ef8e148cb315d4d7d5cdc4061666b30fdb26ba18614c413deb401

nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 974b1be69b61a0017abd8ab2ce7941f30ee7c788cdef488aa7a92ec45bff07ce

nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: d22e4d82fcb6886a90eeb16d409c5f42c2adc560b6c62321967b0ab4092affc4

npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 86d767ce3eeb52d3fd0f17b2b11e70381127b14919bfa043988d8bb5f7978854

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6

SRPM

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.src.rpm

SHA-256: bab0c1172f7d21a383dae847459b106c31f0713addeb8d36d74d9b2227d130cb

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.src.rpm

SHA-256: ba93470ef2926528470de1d3c52bbbf90e2616adca0c4282b260fd3296f24ede

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.src.rpm

SHA-256: 3eb91afb610538479089597bda2f7775668b51bd835a9319a229017fb020ce26

s390x

nodejs-docs-16.20.2-2.module+el8.6.0+19897+9590a839.noarch.rpm

SHA-256: 555b219eea777fb8003e102245391a343de30788e80fc9a516289f28e6ded08a

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.noarch.rpm

SHA-256: 5d08dc893f368dedb40ea881887a24045855d98adbecde718dd20dd394884ccf

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.noarch.rpm

SHA-256: b5e40bbee4590af989f1eacdc36cfdb44a3e2007ce7091d140b6a0c3770c289c

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm

SHA-256: 88aa9c9b10cebdf97843dc6595b8b9478135f6f27c35e592f8a9856981446dd3

nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm

SHA-256: 168115ab4f34895d20bf4736dc5972d550293aa5a661f4d1d1f3340686433dc0

nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm

SHA-256: 2e562e8507eb224332837e59aef15636e14c9f21bcf786b45519dee7facecdf6

nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm

SHA-256: 1c12ba7733531f20fdeacdba5b2720dd65fd18d0ce4571a8ab509aea6f294ff6

nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm

SHA-256: 58eaf525161d9dba94471ebd6377d55c584cbb1e78e594bdf7d67aefe3898d71

npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.s390x.rpm

SHA-256: 01b3f8edf7c4fb72fdedf483d343d1870fb1c49a944ae4b9f4612a522d8b14d4

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6

SRPM

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.src.rpm

SHA-256: bab0c1172f7d21a383dae847459b106c31f0713addeb8d36d74d9b2227d130cb

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.src.rpm

SHA-256: ba93470ef2926528470de1d3c52bbbf90e2616adca0c4282b260fd3296f24ede

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.src.rpm

SHA-256: 3eb91afb610538479089597bda2f7775668b51bd835a9319a229017fb020ce26

ppc64le

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: 64b82d9f349a864b3d06093f78b5366f8110fe1f4bba8360ef943a614c24e4dc

nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: 7322775f9769d4fc15465d3ce4272f66d0bd080dce476e1c807a27aa7d64f420

nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: 957503446f09b5a630b65f2db563246516f6ddd28d4d6d14ee66a049e45155af

nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: a25ae45c27cef8ef25e33c9b92176bada823635e2bac74d66aeba7565154f70e

nodejs-docs-16.20.2-2.module+el8.6.0+19897+9590a839.noarch.rpm

SHA-256: 555b219eea777fb8003e102245391a343de30788e80fc9a516289f28e6ded08a

nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: 5ebe82eb144127cae90947ae1ae922a150625ab12c8ada4b1ff92195282ce3ca

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.noarch.rpm

SHA-256: 5d08dc893f368dedb40ea881887a24045855d98adbecde718dd20dd394884ccf

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.noarch.rpm

SHA-256: b5e40bbee4590af989f1eacdc36cfdb44a3e2007ce7091d140b6a0c3770c289c

npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: 61f3b5fd2fbcec1471042dec6cafb98a3407e2ae52e34e5314edcb91b6003f9e

Red Hat Enterprise Linux Server - TUS 8.6

SRPM

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.src.rpm

SHA-256: bab0c1172f7d21a383dae847459b106c31f0713addeb8d36d74d9b2227d130cb

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.src.rpm

SHA-256: ba93470ef2926528470de1d3c52bbbf90e2616adca0c4282b260fd3296f24ede

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.src.rpm

SHA-256: 3eb91afb610538479089597bda2f7775668b51bd835a9319a229017fb020ce26

x86_64

nodejs-docs-16.20.2-2.module+el8.6.0+19897+9590a839.noarch.rpm

SHA-256: 555b219eea777fb8003e102245391a343de30788e80fc9a516289f28e6ded08a

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.noarch.rpm

SHA-256: 5d08dc893f368dedb40ea881887a24045855d98adbecde718dd20dd394884ccf

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.noarch.rpm

SHA-256: b5e40bbee4590af989f1eacdc36cfdb44a3e2007ce7091d140b6a0c3770c289c

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 15fa324758b96cb7ead2430e4f6a8b212a5015280e10a2651960ea44074ca38b

nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 418402f0d13d2e70fe18dd371d0aa36d84d9018cd47b66bd32df0bfc03e4c713

nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 1021731a0a5ef8e148cb315d4d7d5cdc4061666b30fdb26ba18614c413deb401

nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 974b1be69b61a0017abd8ab2ce7941f30ee7c788cdef488aa7a92ec45bff07ce

nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: d22e4d82fcb6886a90eeb16d409c5f42c2adc560b6c62321967b0ab4092affc4

npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 86d767ce3eeb52d3fd0f17b2b11e70381127b14919bfa043988d8bb5f7978854

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6

SRPM

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.src.rpm

SHA-256: bab0c1172f7d21a383dae847459b106c31f0713addeb8d36d74d9b2227d130cb

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.src.rpm

SHA-256: ba93470ef2926528470de1d3c52bbbf90e2616adca0c4282b260fd3296f24ede

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.src.rpm

SHA-256: 3eb91afb610538479089597bda2f7775668b51bd835a9319a229017fb020ce26

aarch64

nodejs-docs-16.20.2-2.module+el8.6.0+19897+9590a839.noarch.rpm

SHA-256: 555b219eea777fb8003e102245391a343de30788e80fc9a516289f28e6ded08a

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.noarch.rpm

SHA-256: 5d08dc893f368dedb40ea881887a24045855d98adbecde718dd20dd394884ccf

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.noarch.rpm

SHA-256: b5e40bbee4590af989f1eacdc36cfdb44a3e2007ce7091d140b6a0c3770c289c

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm

SHA-256: 2283630de247b7016622ff2f657137ee19c8e43a7024115b06e6a484c9245986

nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm

SHA-256: 46fc7fda53b8c9a7587404d64ca26a61eb29cb4aaab661b58805fba214305646

nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm

SHA-256: d343b749397b8087b1d5ba7c09e947347374f55eec571fa830206e48f115e4e7

nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm

SHA-256: 1fe9a334f6e5c48373af6e51ed332b6cd8f8c9395f5fd75f7b870838b1c949f1

nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm

SHA-256: c422c41b57b331f4e1b38601a8e8fb43e4e4b2d50ffd9777cea483d301b6780f

npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.aarch64.rpm

SHA-256: 55adcce721bdebb9c23657f7f2e1c8b40f4ae68fd4f79014175b30278292f589

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6

SRPM

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.src.rpm

SHA-256: bab0c1172f7d21a383dae847459b106c31f0713addeb8d36d74d9b2227d130cb

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.src.rpm

SHA-256: ba93470ef2926528470de1d3c52bbbf90e2616adca0c4282b260fd3296f24ede

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.src.rpm

SHA-256: 3eb91afb610538479089597bda2f7775668b51bd835a9319a229017fb020ce26

ppc64le

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: 64b82d9f349a864b3d06093f78b5366f8110fe1f4bba8360ef943a614c24e4dc

nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: 7322775f9769d4fc15465d3ce4272f66d0bd080dce476e1c807a27aa7d64f420

nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: 957503446f09b5a630b65f2db563246516f6ddd28d4d6d14ee66a049e45155af

nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: a25ae45c27cef8ef25e33c9b92176bada823635e2bac74d66aeba7565154f70e

nodejs-docs-16.20.2-2.module+el8.6.0+19897+9590a839.noarch.rpm

SHA-256: 555b219eea777fb8003e102245391a343de30788e80fc9a516289f28e6ded08a

nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: 5ebe82eb144127cae90947ae1ae922a150625ab12c8ada4b1ff92195282ce3ca

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.noarch.rpm

SHA-256: 5d08dc893f368dedb40ea881887a24045855d98adbecde718dd20dd394884ccf

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.noarch.rpm

SHA-256: b5e40bbee4590af989f1eacdc36cfdb44a3e2007ce7091d140b6a0c3770c289c

npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.ppc64le.rpm

SHA-256: 61f3b5fd2fbcec1471042dec6cafb98a3407e2ae52e34e5314edcb91b6003f9e

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6

SRPM

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.src.rpm

SHA-256: bab0c1172f7d21a383dae847459b106c31f0713addeb8d36d74d9b2227d130cb

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.src.rpm

SHA-256: ba93470ef2926528470de1d3c52bbbf90e2616adca0c4282b260fd3296f24ede

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.src.rpm

SHA-256: 3eb91afb610538479089597bda2f7775668b51bd835a9319a229017fb020ce26

x86_64

nodejs-docs-16.20.2-2.module+el8.6.0+19897+9590a839.noarch.rpm

SHA-256: 555b219eea777fb8003e102245391a343de30788e80fc9a516289f28e6ded08a

nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.noarch.rpm

SHA-256: 5d08dc893f368dedb40ea881887a24045855d98adbecde718dd20dd394884ccf

nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.noarch.rpm

SHA-256: b5e40bbee4590af989f1eacdc36cfdb44a3e2007ce7091d140b6a0c3770c289c

nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 15fa324758b96cb7ead2430e4f6a8b212a5015280e10a2651960ea44074ca38b

nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 418402f0d13d2e70fe18dd371d0aa36d84d9018cd47b66bd32df0bfc03e4c713

nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 1021731a0a5ef8e148cb315d4d7d5cdc4061666b30fdb26ba18614c413deb401

nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 974b1be69b61a0017abd8ab2ce7941f30ee7c788cdef488aa7a92ec45bff07ce

nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: d22e4d82fcb6886a90eeb16d409c5f42c2adc560b6c62321967b0ab4092affc4

npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.x86_64.rpm

SHA-256: 86d767ce3eeb52d3fd0f17b2b11e70381127b14919bfa043988d8bb5f7978854

Related news

Red Hat Security Advisory 2024-6044-03

Red Hat Security Advisory 2024-6044-03 - Red Hat Advanced Cluster Management for Kubernetes 2.11.2 General Availability release images, which fix bugs and update container images. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice USN-6822-1

Ubuntu Security Notice 6822-1 - It was discovered that Node.js incorrectly handled certain inputs when it is using the policy mechanism. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to bypass the policy mechanism. It was discovered that Node.js incorrectly handled certain inputs when it is using the policy mechanism. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a privilege escalation.

Gentoo Linux Security Advisory 202405-29

Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.

Ubuntu Security Notice USN-6735-1

Ubuntu Security Notice 6735-1 - It was discovered that Node.js incorrectly handled the use of invalid public keys while creating an x509 certificate. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Node.js incorrectly handled the use of CRLF sequences to delimit HTTP requests. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain unauthorised access. This issue only affected Ubuntu 23.10.

Red Hat Security Advisory 2024-0719-03

Red Hat Security Advisory 2024-0719-03 - Migration Toolkit for Runtimes 1.2.4 release. Issues addressed include a denial of service vulnerability.

Debian Security Advisory 5589-1

Debian Linux Security Advisory 5589-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of policy feature checks, denial of service or loading of incorrect ICU data.

CVE-2023-30581: Tuesday June 20 2023 Security Releases | Node.js

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

CVE-2023-38735: Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 262482.

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Red Hat Security Advisory 2023-5533-01

Red Hat Security Advisory 2023-5533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling, buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

RHSA-2023:5533: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2022-25881: A flaw was found in http-cache-se...

Red Hat Security Advisory 2023-5486-01

Red Hat Security Advisory 2023-5486-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.

Red Hat Security Advisory 2023-5485-01

Red Hat Security Advisory 2023-5485-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.

Red Hat Security Advisory 2023-5488-01

Red Hat Security Advisory 2023-5488-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.

RHSA-2023:5488: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.13 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of servi...

RHSA-2023:5379: Red Hat Security Advisory: Network Observability 1.4.0 for OpenShift

Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulne...

Red Hat Security Advisory 2023-5362-01

Red Hat Security Advisory 2023-5362-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

Red Hat Security Advisory 2023-5361-01

Red Hat Security Advisory 2023-5361-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, bypass, and denial of service vulnerabilities.

Red Hat Security Advisory 2023-5360-01

Red Hat Security Advisory 2023-5360-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

Red Hat Security Advisory 2023-5363-01

Red Hat Security Advisory 2023-5363-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

RHSA-2023:5362: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...

RHSA-2023:5362: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...

RHSA-2023:5362: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...

RHSA-2023:5362: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...

RHSA-2023:5360: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...

RHSA-2023:5360: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...

RHSA-2023:5360: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...

RHSA-2023:5360: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...

CVE-2023-32559

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVE-2023-32002

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

CVE-2023-32006

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Red Hat Security Advisory 2023-4536-01

Red Hat Security Advisory 2023-4536-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4536-01

Red Hat Security Advisory 2023-4536-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4536-01

Red Hat Security Advisory 2023-4536-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4536-01

Red Hat Security Advisory 2023-4536-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4537-01

Red Hat Security Advisory 2023-4537-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4537-01

Red Hat Security Advisory 2023-4537-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4537-01

Red Hat Security Advisory 2023-4537-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4537-01

Red Hat Security Advisory 2023-4537-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

RHSA-2023:4537: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

RHSA-2023:4537: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

RHSA-2023:4537: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

RHSA-2023:4537: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

RHSA-2023:4536: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

RHSA-2023:4536: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

RHSA-2023:4536: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

RHSA-2023:4536: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

Red Hat Security Advisory 2023-4341-01

Red Hat Security Advisory 2023-4341-01 - Red Hat OpenShift bug fix and security update. Red Hat Product Security has rated this update as having a security impact of Low. Issues addressed include a denial of service vulnerability.

RHSA-2023:4341: Red Hat Security Advisory: Logging Subsystem 5.7.4 - Red Hat OpenShift bug fix and security update

Logging Subsystem 5.7.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * CVE-2023-22796: A flaw was found in rubygem-ac...

Red Hat Security Advisory 2023-4330-01

Red Hat Security Advisory 2023-4330-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4330-01

Red Hat Security Advisory 2023-4330-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4330-01

Red Hat Security Advisory 2023-4330-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4330-01

Red Hat Security Advisory 2023-4330-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4331-01

Red Hat Security Advisory 2023-4331-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4331-01

Red Hat Security Advisory 2023-4331-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4331-01

Red Hat Security Advisory 2023-4331-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4331-01

Red Hat Security Advisory 2023-4331-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

RHSA-2023:4331: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP hea...

RHSA-2023:4331: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP hea...

RHSA-2023:4331: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP hea...

RHSA-2023:4331: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP hea...

CVE-2023-37276: aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

GHSA-c2qf-rxjj-qqgw: semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

CVE-2022-25883: fix: better handling of whitespace (#564) · npm/node-semver@717534e

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.