RHSA-2022:0041: Red Hat Security Advisory: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update

Skip to navigation Skip to main content

Utilities

• Subscriptions
• Downloads
• Containers
• Support Cases

Infrastructure and Management

• Red Hat Enterprise Linux
• Red Hat Virtualization
• Red Hat Identity Management
• Red Hat Directory Server
• Red Hat Certificate System
• Red Hat Satellite
• Red Hat Subscription Management
• Red Hat Update Infrastructure
• Red Hat Insights
• Red Hat Ansible Automation Platform

Cloud Computing

• Red Hat OpenShift
• Red Hat CloudForms
• Red Hat OpenStack Platform
• Red Hat OpenShift Container Platform
• Red Hat OpenShift Data Science
• Red Hat OpenShift Online
• Red Hat OpenShift Dedicated
• Red Hat Advanced Cluster Security for Kubernetes
• Red Hat Advanced Cluster Management for Kubernetes
• Red Hat Quay
• Red Hat CodeReady Workspaces
• Red Hat OpenShift Service on AWS

Storage

• Red Hat Gluster Storage
• Red Hat Hyperconverged Infrastructure
• Red Hat Ceph Storage
• Red Hat OpenShift Data Foundation

Runtimes

• Red Hat Runtimes
• Red Hat JBoss Enterprise Application Platform
• Red Hat Data Grid
• Red Hat JBoss Web Server
• Red Hat Single Sign On
• Red Hat support for Spring Boot
• Red Hat build of Node.js
• Red Hat build of Thorntail
• Red Hat build of Eclipse Vert.x
• Red Hat build of OpenJDK
• Red Hat build of Quarkus
• Red Hat CodeReady Studio

Integration and Automation

• Red Hat Process Automation
• Red Hat Process Automation Manager
• Red Hat Decision Manager

All Products

Issued:

2022-01-06

Updated:

2022-01-06

RHSA-2022:0041 - Security Advisory

• Overview
• Updated Packages

Synopsis

Moderate: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.18.2). (BZ#2031766)

Security Fix(es):

• nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)
• nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
• nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701)
• nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712)
• llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)
• llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

• Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
• Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
• Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
• Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

Fixes

• BZ - 1999731 - CVE-2021-37701 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
• BZ - 1999739 - CVE-2021-37712 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite
• BZ - 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
• BZ - 2014057 - CVE-2021-22959 llhttp: HTTP Request Smuggling due to spaces in headers
• BZ - 2014059 - CVE-2021-22960 llhttp: HTTP Request Smuggling when parsing the body of chunked requests
• BZ - 2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability
• BZ - 2031766 - rh-nodejs14-nodejs: Rebase to LTS version [rhscl-3.8.z]

CVEs

• CVE-2021-3807
• CVE-2021-3918
• CVE-2021-22959
• CVE-2021-22960
• CVE-2021-37701
• CVE-2021-37712

Red Hat Software Collections (for RHEL Server) 1 for RHEL 7

SRPM

rh-nodejs14-nodejs-14.18.2-1.el7.src.rpm

SHA-256: 1a727884cbbde5e686e425ba7f2f9e996fd4c0fea8ed2c3482b2bd08bf11018b

rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.src.rpm

SHA-256: 17e6f71d341504c727a1ccc77f5bec75b3d88041728c75e2f8f6923f6c5b6cbf

x86_64

rh-nodejs14-nodejs-14.18.2-1.el7.x86_64.rpm

SHA-256: c42548041913d3fef09ca3620fb83c3bd04322028c7fcd6a77f1a30502975316

rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.x86_64.rpm

SHA-256: abed436df99a5ee23d2f218baa04bc5ff93f01ec25554250b3c651fdaf3a94b6

rh-nodejs14-nodejs-devel-14.18.2-1.el7.x86_64.rpm

SHA-256: 8eeab3f33900a5964adeb72db3dfab0e82e134e37aa2c22c477aed5a094eb9e4

rh-nodejs14-nodejs-docs-14.18.2-1.el7.noarch.rpm

SHA-256: e5afa97757700c1cfdbfdc195d184961dcc614221de32299bb96bf61b55f5844

rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.noarch.rpm

SHA-256: dc13096f023b0acf3d000499dda20ad1c4c97bd86aabd452179ca267e76bd7ad

rh-nodejs14-npm-6.14.15-14.18.2.1.el7.x86_64.rpm

SHA-256: 9037cf6d6e548b6e8e2d58fc306264950b42c155a969267c42463f6f561a7f9e

Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7

SRPM

rh-nodejs14-nodejs-14.18.2-1.el7.src.rpm

SHA-256: 1a727884cbbde5e686e425ba7f2f9e996fd4c0fea8ed2c3482b2bd08bf11018b

rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.src.rpm

SHA-256: 17e6f71d341504c727a1ccc77f5bec75b3d88041728c75e2f8f6923f6c5b6cbf

s390x

rh-nodejs14-nodejs-14.18.2-1.el7.s390x.rpm

SHA-256: 0e782cc385698d4e5517899952db0167a9d6c44e5d182c06148b53149d6537e9

rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.s390x.rpm

SHA-256: bb6ebba58b6022a6353ed4232075ebe378c6ed323533582a57e6485760237967

rh-nodejs14-nodejs-devel-14.18.2-1.el7.s390x.rpm

SHA-256: 4d9bacbaabbae3b06d5bece19eceb152d22f13646a2a94553cff44b8d969f875

rh-nodejs14-nodejs-docs-14.18.2-1.el7.noarch.rpm

SHA-256: e5afa97757700c1cfdbfdc195d184961dcc614221de32299bb96bf61b55f5844

rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.noarch.rpm

SHA-256: dc13096f023b0acf3d000499dda20ad1c4c97bd86aabd452179ca267e76bd7ad

rh-nodejs14-npm-6.14.15-14.18.2.1.el7.s390x.rpm

SHA-256: c06a9b3fc114a6dc7bbdee19622d21049af1b8081daf62a3b49ff64a885c6137

Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7

SRPM

rh-nodejs14-nodejs-14.18.2-1.el7.src.rpm

SHA-256: 1a727884cbbde5e686e425ba7f2f9e996fd4c0fea8ed2c3482b2bd08bf11018b

rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.src.rpm

SHA-256: 17e6f71d341504c727a1ccc77f5bec75b3d88041728c75e2f8f6923f6c5b6cbf

ppc64le

rh-nodejs14-nodejs-14.18.2-1.el7.ppc64le.rpm

SHA-256: 9ff4a752c59afc3af35183ce288a619017f1b033c4800e7893f26ddcab165758

rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.ppc64le.rpm

SHA-256: 3df4822369d2622c279315b3269686a18969c3215eaac8fb2a68897725f458c5

rh-nodejs14-nodejs-devel-14.18.2-1.el7.ppc64le.rpm

SHA-256: 73e5758280c9503d2e620a6d1df1d5ad33c9abad5ae51de247ea670003b1d663

rh-nodejs14-nodejs-docs-14.18.2-1.el7.noarch.rpm

SHA-256: e5afa97757700c1cfdbfdc195d184961dcc614221de32299bb96bf61b55f5844

rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.noarch.rpm

SHA-256: dc13096f023b0acf3d000499dda20ad1c4c97bd86aabd452179ca267e76bd7ad

rh-nodejs14-npm-6.14.15-14.18.2.1.el7.ppc64le.rpm

SHA-256: cba163680c62aef9a7882bc9f592da394f94de8844f94e344ab1826c79bcca1b

Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7

SRPM

rh-nodejs14-nodejs-14.18.2-1.el7.src.rpm

SHA-256: 1a727884cbbde5e686e425ba7f2f9e996fd4c0fea8ed2c3482b2bd08bf11018b

rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.src.rpm

SHA-256: 17e6f71d341504c727a1ccc77f5bec75b3d88041728c75e2f8f6923f6c5b6cbf

x86_64

rh-nodejs14-nodejs-14.18.2-1.el7.x86_64.rpm

SHA-256: c42548041913d3fef09ca3620fb83c3bd04322028c7fcd6a77f1a30502975316

rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.x86_64.rpm

SHA-256: abed436df99a5ee23d2f218baa04bc5ff93f01ec25554250b3c651fdaf3a94b6

rh-nodejs14-nodejs-devel-14.18.2-1.el7.x86_64.rpm

SHA-256: 8eeab3f33900a5964adeb72db3dfab0e82e134e37aa2c22c477aed5a094eb9e4

rh-nodejs14-nodejs-docs-14.18.2-1.el7.noarch.rpm

SHA-256: e5afa97757700c1cfdbfdc195d184961dcc614221de32299bb96bf61b55f5844

rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.noarch.rpm

SHA-256: dc13096f023b0acf3d000499dda20ad1c4c97bd86aabd452179ca267e76bd7ad

rh-nodejs14-npm-6.14.15-14.18.2.1.el7.x86_64.rpm

SHA-256: 9037cf6d6e548b6e8e2d58fc306264950b42c155a969267c42463f6f561a7f9e

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.