RHSA-2021:5171: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

Skip to navigation Skip to main content

Utilities

• Subscriptions
• Downloads
• Containers
• Support Cases

Infrastructure and Management

• Red Hat Enterprise Linux
• Red Hat Virtualization
• Red Hat Identity Management
• Red Hat Directory Server
• Red Hat Certificate System
• Red Hat Satellite
• Red Hat Subscription Management
• Red Hat Update Infrastructure
• Red Hat Insights
• Red Hat Ansible Automation Platform

Cloud Computing

• Red Hat OpenShift
• Red Hat CloudForms
• Red Hat OpenStack Platform
• Red Hat OpenShift Container Platform
• Red Hat OpenShift Data Science
• Red Hat OpenShift Online
• Red Hat OpenShift Dedicated
• Red Hat Advanced Cluster Security for Kubernetes
• Red Hat Advanced Cluster Management for Kubernetes
• Red Hat Quay
• Red Hat CodeReady Workspaces
• Red Hat OpenShift Service on AWS

Storage

• Red Hat Gluster Storage
• Red Hat Hyperconverged Infrastructure
• Red Hat Ceph Storage
• Red Hat OpenShift Data Foundation

Runtimes

• Red Hat Runtimes
• Red Hat JBoss Enterprise Application Platform
• Red Hat Data Grid
• Red Hat JBoss Web Server
• Red Hat Single Sign On
• Red Hat support for Spring Boot
• Red Hat build of Node.js
• Red Hat build of Thorntail
• Red Hat build of Eclipse Vert.x
• Red Hat build of OpenJDK
• Red Hat build of Quarkus
• Red Hat CodeReady Studio

Integration and Automation

• Red Hat Process Automation
• Red Hat Process Automation Manager
• Red Hat Decision Manager

All Products

Issued:

2021-12-15

Updated:

2021-12-15

RHSA-2021:5171 - Security Advisory

• Overview
• Updated Packages

Synopsis

Moderate: nodejs:16 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (16.13.1), nodejs-nodemon (2.0.15). (BZ#2027610)

Security Fix(es):

• nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918)
• nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)
• nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
• nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
• normalize-url: ReDoS for data URLs (CVE-2021-33502)
• llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959)
• llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

• BZ - 1907444 - CVE-2020-7788 nodejs-ini: Prototype pollution via malicious INI file
• BZ - 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service
• BZ - 1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs
• BZ - 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
• BZ - 2014057 - CVE-2021-22959 llhttp: HTTP Request Smuggling due to spaces in headers
• BZ - 2014059 - CVE-2021-22960 llhttp: HTTP Request Smuggling when parsing the body of chunked requests
• BZ - 2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability

CVEs

• CVE-2020-7788
• CVE-2020-28469
• CVE-2021-3807
• CVE-2021-3918
• CVE-2021-22959
• CVE-2021-22960
• CVE-2021-33502

Red Hat Enterprise Linux for x86_64 8

SRPM

nodejs-16.13.1-3.module+el8.5.0+13548+45d748af.src.rpm

SHA-256: 133194616ef53152ea348ad144c1a358aa18274933bc0bf771a7876c34c4123c

nodejs-nodemon-2.0.15-1.module+el8.5.0+13548+45d748af.src.rpm

SHA-256: fd5736c860ae03208531c0b809e7fde9bccd4e51b38ae7cf69c3c9c9fb3df5e5

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

x86_64

nodejs-docs-16.13.1-3.module+el8.5.0+13548+45d748af.noarch.rpm

SHA-256: ebd55dbb3c9cd67da66e1f646dd55e493ccd80b692d9ecebb62acaaaeb5b1528

nodejs-nodemon-2.0.15-1.module+el8.5.0+13548+45d748af.noarch.rpm

SHA-256: e68b71ea2ef6ff82466d68c0233550dfac6239a41f1cc56418cee603e875e239

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpm

SHA-256: 9a5bcf1a68df6e8ad8668c150bdfd62d6c9920d1f957ec193c084db7d94c7423

nodejs-debuginfo-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpm

SHA-256: 157b7918705e03e5160efb5dbf9f2636473e7407a34926257124953bc368adc5

nodejs-debugsource-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpm

SHA-256: c7c4bb2f26b607fcae6667dc950ebf0e5f16f8ad92fdf9ad6aa4180042c0cb25

nodejs-devel-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpm

SHA-256: 0ed433d33245a798aa18d5fa2074c5069d29a429178d2d9acb577c0fe92fa961

nodejs-full-i18n-16.13.1-3.module+el8.5.0+13548+45d748af.x86_64.rpm

SHA-256: ea0101ba976a2041cfe00bc712caea4d07fbcb07bf2ae4862f43c7f005136fd2

npm-8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af.x86_64.rpm

SHA-256: d966cc249a46c64e6b9fb3978db6f329d81893ae9328fd9a42328763d08e0c37

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

nodejs-16.13.1-3.module+el8.5.0+13548+45d748af.src.rpm

SHA-256: 133194616ef53152ea348ad144c1a358aa18274933bc0bf771a7876c34c4123c

nodejs-nodemon-2.0.15-1.module+el8.5.0+13548+45d748af.src.rpm

SHA-256: fd5736c860ae03208531c0b809e7fde9bccd4e51b38ae7cf69c3c9c9fb3df5e5

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

s390x

nodejs-docs-16.13.1-3.module+el8.5.0+13548+45d748af.noarch.rpm

SHA-256: ebd55dbb3c9cd67da66e1f646dd55e493ccd80b692d9ecebb62acaaaeb5b1528

nodejs-nodemon-2.0.15-1.module+el8.5.0+13548+45d748af.noarch.rpm

SHA-256: e68b71ea2ef6ff82466d68c0233550dfac6239a41f1cc56418cee603e875e239

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.13.1-3.module+el8.5.0+13548+45d748af.s390x.rpm

SHA-256: 04ba26630f28d439711490f2de3fc17624b0e8db23718cbfde611264f7d5ebe7

nodejs-debuginfo-16.13.1-3.module+el8.5.0+13548+45d748af.s390x.rpm

SHA-256: c15834a9e19b14862b523ba208342c30748eb125eb251cdfead1d26d366c74f1

nodejs-debugsource-16.13.1-3.module+el8.5.0+13548+45d748af.s390x.rpm

SHA-256: 911f83b97c5298858c4d35e3f0492ade10638867f9b6c265ea2e7a166ccdd7a4

nodejs-devel-16.13.1-3.module+el8.5.0+13548+45d748af.s390x.rpm

SHA-256: 0baaf89f4f2ee6eaeba3f18bc1cfeb0fc851e0713523c8985dea51a5a19a74b5

nodejs-full-i18n-16.13.1-3.module+el8.5.0+13548+45d748af.s390x.rpm

SHA-256: 5e3ae7223ab258ebc80e3e92a7fc0792af5527a7d54d37c9964883d684febd44

npm-8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af.s390x.rpm

SHA-256: 9266ec26365811044862a25ab70da7b621620a2392c4966e52623ef50986e4b9

Red Hat Enterprise Linux for Power, little endian 8

SRPM

nodejs-16.13.1-3.module+el8.5.0+13548+45d748af.src.rpm

SHA-256: 133194616ef53152ea348ad144c1a358aa18274933bc0bf771a7876c34c4123c

nodejs-nodemon-2.0.15-1.module+el8.5.0+13548+45d748af.src.rpm

SHA-256: fd5736c860ae03208531c0b809e7fde9bccd4e51b38ae7cf69c3c9c9fb3df5e5

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

ppc64le

nodejs-16.13.1-3.module+el8.5.0+13548+45d748af.ppc64le.rpm

SHA-256: a9d9b8639c2ac4d7552df23581f5e78d219a47876c7a09e462c520fa9b3d9b14

nodejs-debuginfo-16.13.1-3.module+el8.5.0+13548+45d748af.ppc64le.rpm

SHA-256: e922e56e9143de561ce5c7ccf32fa1cfaff04d284507bfd5139357d8179b6d71

nodejs-debugsource-16.13.1-3.module+el8.5.0+13548+45d748af.ppc64le.rpm

SHA-256: 6fb2221db2e4318fcd628103016220887fef9d87985b3ae496c4f56940c9d8b1

nodejs-devel-16.13.1-3.module+el8.5.0+13548+45d748af.ppc64le.rpm

SHA-256: 98d51840b3c4684bef37933eefa0d897b441f8544af7ca77620161c5330209ea

nodejs-docs-16.13.1-3.module+el8.5.0+13548+45d748af.noarch.rpm

SHA-256: ebd55dbb3c9cd67da66e1f646dd55e493ccd80b692d9ecebb62acaaaeb5b1528

nodejs-full-i18n-16.13.1-3.module+el8.5.0+13548+45d748af.ppc64le.rpm

SHA-256: 11ccb7367602675a9dab8e4cc7d5316c40b306407c64953120ef3b24a9f689a2

nodejs-nodemon-2.0.15-1.module+el8.5.0+13548+45d748af.noarch.rpm

SHA-256: e68b71ea2ef6ff82466d68c0233550dfac6239a41f1cc56418cee603e875e239

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

npm-8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af.ppc64le.rpm

SHA-256: 6f52bd5c9e1aba47699eb90ec4f86e5136efbc65b570d3bd47ed531dd3a0af0a

Red Hat Enterprise Linux for ARM 64 8

SRPM

nodejs-16.13.1-3.module+el8.5.0+13548+45d748af.src.rpm

SHA-256: 133194616ef53152ea348ad144c1a358aa18274933bc0bf771a7876c34c4123c

nodejs-nodemon-2.0.15-1.module+el8.5.0+13548+45d748af.src.rpm

SHA-256: fd5736c860ae03208531c0b809e7fde9bccd4e51b38ae7cf69c3c9c9fb3df5e5

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm

SHA-256: 33ac4142978ab66debe87d4af95fd56ed6a39f0947eb46a6ca988dc7d035a835

aarch64

nodejs-docs-16.13.1-3.module+el8.5.0+13548+45d748af.noarch.rpm

SHA-256: ebd55dbb3c9cd67da66e1f646dd55e493ccd80b692d9ecebb62acaaaeb5b1528

nodejs-nodemon-2.0.15-1.module+el8.5.0+13548+45d748af.noarch.rpm

SHA-256: e68b71ea2ef6ff82466d68c0233550dfac6239a41f1cc56418cee603e875e239

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm

SHA-256: f39eef40249724ab490a024922470273a1c4789881bc489aaa719a432380edfc

nodejs-16.13.1-3.module+el8.5.0+13548+45d748af.aarch64.rpm

SHA-256: 7ecdd6c5d3016464a3ffc88746bba428aa9d0ef40806e26ebe107469d2744fe8

nodejs-debuginfo-16.13.1-3.module+el8.5.0+13548+45d748af.aarch64.rpm

SHA-256: 57912e7deb7ec056607eb1a47246d918f21b8fb30f6f76b5e2ded6dc4086cb4d

nodejs-debugsource-16.13.1-3.module+el8.5.0+13548+45d748af.aarch64.rpm

SHA-256: fd1ecd4f462690cd2e0386f91f58e18acbc85336641ead31987a62589feea202

nodejs-devel-16.13.1-3.module+el8.5.0+13548+45d748af.aarch64.rpm

SHA-256: 144aa4ee18520e283fd369807781adc98309344196a8f0d2cdc38355fce9fe1a

nodejs-full-i18n-16.13.1-3.module+el8.5.0+13548+45d748af.aarch64.rpm

SHA-256: ef5693b3692a55741949b76ffa9751792c177945f6d556b0273bd6b2c134b3f3

npm-8.1.2-1.16.13.1.3.module+el8.5.0+13548+45d748af.aarch64.rpm

SHA-256: d23ae0bc7b120e7d25cb0543c305901ef38513d4a7997a397f39fd1cb74e6718

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.