Headline
RHSA-2023:4036: Red Hat Security Advisory: nodejs security update
An update for nodejs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-31124: A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using a CSPRNG.
- CVE-2023-31130: A vulnerability was found in c-ares. This issue occurs in the ares_inet_net_pton() function, which is vulnerable to a buffer underflow for certain ipv6 addresses. “0::00:00:00/2” in particular was found to cause an issue. C-ares only uses this function internally for configuration purposes, which would require an administrator to configure such an address via ares_set_sortlist().
- CVE-2023-31147: A vulnerability was found in c-ares. This issue occurs when /dev/urandom or RtlGenRandom() are unavailable, c-ares will use rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand(), so it will generate predictable output.
- CVE-2023-32067: A vulnerability was found in c-ares. This issue occurs due to a 0-byte UDP payload that can cause a Denial of Service.
Synopsis
Important: nodejs security update
Type / Sévérité
Security Advisory: Important
Analyse des correctifs dans Red Hat Insights
Identifiez et remédiez aux systèmes concernés par cette alerte.
Voir les systèmes concernés
Sujet
An update for nodejs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
- c-ares: 0-byte UDP payload Denial of Service (CVE-2023-32067)
- c-ares: Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)
- c-ares: Insufficient randomness in generation of DNS query IDs (CVE-2023-31147)
- c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation (CVE-2023-31124)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Produits concernés
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0 x86_64
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0 s390x
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0 ppc64le
- Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0 aarch64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
- Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.0 aarch64
- Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.0 s390x
Correctifs
- BZ - 2209494 - CVE-2023-31124 c-ares: AutoTools does not set CARES_RANDOM_FILE during cross compilation
- BZ - 2209497 - CVE-2023-31130 c-ares: Buffer Underwrite in ares_inet_net_pton()
- BZ - 2209501 - CVE-2023-31147 c-ares: Insufficient randomness in generation of DNS query IDs
- BZ - 2209502 - CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service
CVE
- CVE-2023-31124
- CVE-2023-31130
- CVE-2023-31147
- CVE-2023-32067
Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0
SRPM
nodejs-16.18.1-4.el9_0.src.rpm
SHA-256: 9ac81573f1fe79050490da63fd2d7efd6b5e6d1ee876ae5403b639bc93a1a33b
x86_64
nodejs-16.18.1-4.el9_0.x86_64.rpm
SHA-256: b4db5a23b7f72c1a047b27a0e04c0b0d7ba19860ea924f3a957bbd38601b11b5
nodejs-debuginfo-16.18.1-4.el9_0.i686.rpm
SHA-256: 4234ffc279b4827794ac456c4f7faf3153453d344a9a761a008fb849a4dd1e59
nodejs-debuginfo-16.18.1-4.el9_0.x86_64.rpm
SHA-256: a8c375832077ece611f7fab99e880c4c3796834feb6f72ca5972292b5616e100
nodejs-debugsource-16.18.1-4.el9_0.i686.rpm
SHA-256: 86c432882c75cb65f4582af355bb30284ae603f13415ecab751fd9fde736b1d7
nodejs-debugsource-16.18.1-4.el9_0.x86_64.rpm
SHA-256: 49aec6773c004fe7bff757ba13dd0fbc92435302e9652887f7305e06d2014ba1
nodejs-docs-16.18.1-4.el9_0.noarch.rpm
SHA-256: 432242b6914437f531ef3ce4ab53fcb5f78114b12895ca3b263c62d483590c88
nodejs-full-i18n-16.18.1-4.el9_0.x86_64.rpm
SHA-256: 4f81c8910fcb5c57a7851a05fa041826860baa0b193da409285f421d7e5c2492
nodejs-libs-16.18.1-4.el9_0.i686.rpm
SHA-256: ef227d254b5ff86449188f46a13bbc7be2bae986b0100bc35343d4f3995e2842
nodejs-libs-16.18.1-4.el9_0.x86_64.rpm
SHA-256: 4843242505afc9b4f62816d1245e45dee599a2f9dc1079d6fb5609e130dd78f5
nodejs-libs-debuginfo-16.18.1-4.el9_0.i686.rpm
SHA-256: 05fb6dff9712ef0e33e58de3d42579dcce252ede5141a718e07a09116e712edc
nodejs-libs-debuginfo-16.18.1-4.el9_0.x86_64.rpm
SHA-256: 229626aee27501bdd946cefb5d93e00efec4b1e6d418e106a0458403f2eb33f8
npm-8.19.2-1.16.18.1.4.el9_0.x86_64.rpm
SHA-256: aed9fad6e8a7a932eba743711bb53b4d684faa1fb398bdb3e0a8380154e89b87
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0
SRPM
nodejs-16.18.1-4.el9_0.src.rpm
SHA-256: 9ac81573f1fe79050490da63fd2d7efd6b5e6d1ee876ae5403b639bc93a1a33b
s390x
nodejs-16.18.1-4.el9_0.s390x.rpm
SHA-256: da00e7b5f20d9d5b11fde8d4e45e35472e623f6e3ede33bbabc1b6f465c07ce0
nodejs-debuginfo-16.18.1-4.el9_0.s390x.rpm
SHA-256: bfb4575baf4f5a3134546b3ea445dcc4de85347cb62ad526784e15e198d4beda
nodejs-debugsource-16.18.1-4.el9_0.s390x.rpm
SHA-256: 35e790484df2a8a0dd322e0b2970cd97c2a52fdceebd18ddd25a3110e4250f17
nodejs-docs-16.18.1-4.el9_0.noarch.rpm
SHA-256: 432242b6914437f531ef3ce4ab53fcb5f78114b12895ca3b263c62d483590c88
nodejs-full-i18n-16.18.1-4.el9_0.s390x.rpm
SHA-256: d8d4400c98b991f2f10e998f5cf186262d4c5c5432a943ea5dafe6606f5e3349
nodejs-libs-16.18.1-4.el9_0.s390x.rpm
SHA-256: 6c2b318ecf7ce0631ecaa256f165dbc566ff5fd2ef67a1c8074e1869b77f6b8d
nodejs-libs-debuginfo-16.18.1-4.el9_0.s390x.rpm
SHA-256: acc0f43a87f2705060e4984c6268c37081cb53374da9015354bb12da2866486b
npm-8.19.2-1.16.18.1.4.el9_0.s390x.rpm
SHA-256: af091dede33d6b96b5b3ed65e7a3b24bffe74d9cdbd27a0b1f2d81a82ba2981f
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0
SRPM
nodejs-16.18.1-4.el9_0.src.rpm
SHA-256: 9ac81573f1fe79050490da63fd2d7efd6b5e6d1ee876ae5403b639bc93a1a33b
ppc64le
nodejs-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: a912afd4671810867f4c0eb5d09c1f45fe8d5501c85d5040d4b1de892129ea51
nodejs-debuginfo-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: e5ba8d12fedc60569cf6c69753a5ee41b4a41617d376db342fd98751eab57ee0
nodejs-debugsource-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: 4c6f94050ac3d4f15a48198acdd0ea5670768902821bd97d9aaf1e79c748d71f
nodejs-docs-16.18.1-4.el9_0.noarch.rpm
SHA-256: 432242b6914437f531ef3ce4ab53fcb5f78114b12895ca3b263c62d483590c88
nodejs-full-i18n-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: dffd869ed788293a1c1f9898861743729ecadd29449aa99588e68ffb21b4816b
nodejs-libs-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: ce80fbf3d7bf0037e6d795c9551178b68063af59c01cb5606a925ed97ef3a4e6
nodejs-libs-debuginfo-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: 26eb0c4a10d320accb336253aab3b0eb9303b2c33deb2c2624f9c999f3285857
npm-8.19.2-1.16.18.1.4.el9_0.ppc64le.rpm
SHA-256: 670c08aee29e03ca6130399e7ada703a0cc926f9ee2b291a991efb9f19fbc89d
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0
SRPM
nodejs-16.18.1-4.el9_0.src.rpm
SHA-256: 9ac81573f1fe79050490da63fd2d7efd6b5e6d1ee876ae5403b639bc93a1a33b
aarch64
nodejs-16.18.1-4.el9_0.aarch64.rpm
SHA-256: 837af5c837abe23e779913d94a46878bebb9828b033f08fd60e239fb758ad04a
nodejs-debuginfo-16.18.1-4.el9_0.aarch64.rpm
SHA-256: e2deb31bdfcac08c190c589d5ce73781a36e48bc6381cf00f83d7f4132994b4c
nodejs-debugsource-16.18.1-4.el9_0.aarch64.rpm
SHA-256: cf48aa3df82d77429296c7af958180f111b2418ad87263334a699f025abac231
nodejs-docs-16.18.1-4.el9_0.noarch.rpm
SHA-256: 432242b6914437f531ef3ce4ab53fcb5f78114b12895ca3b263c62d483590c88
nodejs-full-i18n-16.18.1-4.el9_0.aarch64.rpm
SHA-256: f3d7331bdffa9e03da8b5573496ad3e29ff6997f8dd61bcc3405a85a26ab7df5
nodejs-libs-16.18.1-4.el9_0.aarch64.rpm
SHA-256: ab713712fff7bca04cf2ca72cb0fabce3aed06f25f350b64d1fa5bd80242c655
nodejs-libs-debuginfo-16.18.1-4.el9_0.aarch64.rpm
SHA-256: 0bdb8616ae9e703e41f891fbe29d230fab98f74c6453ec3ab64ab694b641c1bb
npm-8.19.2-1.16.18.1.4.el9_0.aarch64.rpm
SHA-256: fd42e97fbab2d8d451c5663ed1ea15bfa94948f2573e0c36ebbd538ec5d562bc
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0
SRPM
nodejs-16.18.1-4.el9_0.src.rpm
SHA-256: 9ac81573f1fe79050490da63fd2d7efd6b5e6d1ee876ae5403b639bc93a1a33b
ppc64le
nodejs-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: a912afd4671810867f4c0eb5d09c1f45fe8d5501c85d5040d4b1de892129ea51
nodejs-debuginfo-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: e5ba8d12fedc60569cf6c69753a5ee41b4a41617d376db342fd98751eab57ee0
nodejs-debugsource-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: 4c6f94050ac3d4f15a48198acdd0ea5670768902821bd97d9aaf1e79c748d71f
nodejs-docs-16.18.1-4.el9_0.noarch.rpm
SHA-256: 432242b6914437f531ef3ce4ab53fcb5f78114b12895ca3b263c62d483590c88
nodejs-full-i18n-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: dffd869ed788293a1c1f9898861743729ecadd29449aa99588e68ffb21b4816b
nodejs-libs-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: ce80fbf3d7bf0037e6d795c9551178b68063af59c01cb5606a925ed97ef3a4e6
nodejs-libs-debuginfo-16.18.1-4.el9_0.ppc64le.rpm
SHA-256: 26eb0c4a10d320accb336253aab3b0eb9303b2c33deb2c2624f9c999f3285857
npm-8.19.2-1.16.18.1.4.el9_0.ppc64le.rpm
SHA-256: 670c08aee29e03ca6130399e7ada703a0cc926f9ee2b291a991efb9f19fbc89d
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0
SRPM
nodejs-16.18.1-4.el9_0.src.rpm
SHA-256: 9ac81573f1fe79050490da63fd2d7efd6b5e6d1ee876ae5403b639bc93a1a33b
x86_64
nodejs-16.18.1-4.el9_0.x86_64.rpm
SHA-256: b4db5a23b7f72c1a047b27a0e04c0b0d7ba19860ea924f3a957bbd38601b11b5
nodejs-debuginfo-16.18.1-4.el9_0.i686.rpm
SHA-256: 4234ffc279b4827794ac456c4f7faf3153453d344a9a761a008fb849a4dd1e59
nodejs-debuginfo-16.18.1-4.el9_0.x86_64.rpm
SHA-256: a8c375832077ece611f7fab99e880c4c3796834feb6f72ca5972292b5616e100
nodejs-debugsource-16.18.1-4.el9_0.i686.rpm
SHA-256: 86c432882c75cb65f4582af355bb30284ae603f13415ecab751fd9fde736b1d7
nodejs-debugsource-16.18.1-4.el9_0.x86_64.rpm
SHA-256: 49aec6773c004fe7bff757ba13dd0fbc92435302e9652887f7305e06d2014ba1
nodejs-docs-16.18.1-4.el9_0.noarch.rpm
SHA-256: 432242b6914437f531ef3ce4ab53fcb5f78114b12895ca3b263c62d483590c88
nodejs-full-i18n-16.18.1-4.el9_0.x86_64.rpm
SHA-256: 4f81c8910fcb5c57a7851a05fa041826860baa0b193da409285f421d7e5c2492
nodejs-libs-16.18.1-4.el9_0.i686.rpm
SHA-256: ef227d254b5ff86449188f46a13bbc7be2bae986b0100bc35343d4f3995e2842
nodejs-libs-16.18.1-4.el9_0.x86_64.rpm
SHA-256: 4843242505afc9b4f62816d1245e45dee599a2f9dc1079d6fb5609e130dd78f5
nodejs-libs-debuginfo-16.18.1-4.el9_0.i686.rpm
SHA-256: 05fb6dff9712ef0e33e58de3d42579dcce252ede5141a718e07a09116e712edc
nodejs-libs-debuginfo-16.18.1-4.el9_0.x86_64.rpm
SHA-256: 229626aee27501bdd946cefb5d93e00efec4b1e6d418e106a0458403f2eb33f8
npm-8.19.2-1.16.18.1.4.el9_0.x86_64.rpm
SHA-256: aed9fad6e8a7a932eba743711bb53b4d684faa1fb398bdb3e0a8380154e89b87
Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.0
SRPM
nodejs-16.18.1-4.el9_0.src.rpm
SHA-256: 9ac81573f1fe79050490da63fd2d7efd6b5e6d1ee876ae5403b639bc93a1a33b
aarch64
nodejs-16.18.1-4.el9_0.aarch64.rpm
SHA-256: 837af5c837abe23e779913d94a46878bebb9828b033f08fd60e239fb758ad04a
nodejs-debuginfo-16.18.1-4.el9_0.aarch64.rpm
SHA-256: e2deb31bdfcac08c190c589d5ce73781a36e48bc6381cf00f83d7f4132994b4c
nodejs-debugsource-16.18.1-4.el9_0.aarch64.rpm
SHA-256: cf48aa3df82d77429296c7af958180f111b2418ad87263334a699f025abac231
nodejs-docs-16.18.1-4.el9_0.noarch.rpm
SHA-256: 432242b6914437f531ef3ce4ab53fcb5f78114b12895ca3b263c62d483590c88
nodejs-full-i18n-16.18.1-4.el9_0.aarch64.rpm
SHA-256: f3d7331bdffa9e03da8b5573496ad3e29ff6997f8dd61bcc3405a85a26ab7df5
nodejs-libs-16.18.1-4.el9_0.aarch64.rpm
SHA-256: ab713712fff7bca04cf2ca72cb0fabce3aed06f25f350b64d1fa5bd80242c655
nodejs-libs-debuginfo-16.18.1-4.el9_0.aarch64.rpm
SHA-256: 0bdb8616ae9e703e41f891fbe29d230fab98f74c6453ec3ab64ab694b641c1bb
npm-8.19.2-1.16.18.1.4.el9_0.aarch64.rpm
SHA-256: fd42e97fbab2d8d451c5663ed1ea15bfa94948f2573e0c36ebbd538ec5d562bc
Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.0
SRPM
nodejs-16.18.1-4.el9_0.src.rpm
SHA-256: 9ac81573f1fe79050490da63fd2d7efd6b5e6d1ee876ae5403b639bc93a1a33b
s390x
nodejs-16.18.1-4.el9_0.s390x.rpm
SHA-256: da00e7b5f20d9d5b11fde8d4e45e35472e623f6e3ede33bbabc1b6f465c07ce0
nodejs-debuginfo-16.18.1-4.el9_0.s390x.rpm
SHA-256: bfb4575baf4f5a3134546b3ea445dcc4de85347cb62ad526784e15e198d4beda
nodejs-debugsource-16.18.1-4.el9_0.s390x.rpm
SHA-256: 35e790484df2a8a0dd322e0b2970cd97c2a52fdceebd18ddd25a3110e4250f17
nodejs-docs-16.18.1-4.el9_0.noarch.rpm
SHA-256: 432242b6914437f531ef3ce4ab53fcb5f78114b12895ca3b263c62d483590c88
nodejs-full-i18n-16.18.1-4.el9_0.s390x.rpm
SHA-256: d8d4400c98b991f2f10e998f5cf186262d4c5c5432a943ea5dafe6606f5e3349
nodejs-libs-16.18.1-4.el9_0.s390x.rpm
SHA-256: 6c2b318ecf7ce0631ecaa256f165dbc566ff5fd2ef67a1c8074e1869b77f6b8d
nodejs-libs-debuginfo-16.18.1-4.el9_0.s390x.rpm
SHA-256: acc0f43a87f2705060e4984c6268c37081cb53374da9015354bb12da2866486b
npm-8.19.2-1.16.18.1.4.el9_0.s390x.rpm
SHA-256: af091dede33d6b96b5b3ed65e7a3b24bffe74d9cdbd27a0b1f2d81a82ba2981f
Related news
Red Hat Security Advisory 2023-7543-01 - An update for c-ares is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a buffer overflow vulnerability.
IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 254138
Ubuntu Security Notice 6164-2 - USN-6164-1 fixed several vulnerabilities in c-ares. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Hannes Moesl discovered that c-ares incorrectly handled certain ipv6 addresses. An attacker could use this issue to cause c-ares to crash, resulting in a denial of service, or possibly execute arbitrary code.
Red Hat Security Advisory 2023-4226-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.6.
Red Hat Security Advisory 2023-4090-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.5.
Red Hat OpenShift Container Platform release 4.13.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server c...
Red Hat Security Advisory 2023-4039-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4034-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4033-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4036-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4035-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include buffer overflow and denial of service vulnerabilities.
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2023-31124: A flaw was found in c-ares. This issue occurs...
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-31124: A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using a CSPRNG. * CVE-2023-3113...
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2023-31124: A flaw was found in c-ares. This issue occurs...
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-31124: A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using a CSPRNG. * CVE-2023-3113...
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2023-31124: A flaw was found in c-ares. This issue occurs...
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-31124: A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using a CSPRNG. * CVE-2023-3113...
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-31124: A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using...
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-31124: A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using...
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-31124: A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using...
An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-31124: A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using a CSPRNG. * CVE-2023-3113...
An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-31124: A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using a CSPRNG. * CVE-2023-3113...
An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-31124: A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using a CSPRNG. * CVE-2023-3113...
Red Hat OpenShift Container Platform release 4.11.44 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3089: A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS...
Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentication with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability. * CVE...
Red Hat Security Advisory 2023-3677-01 - The c-ares C library defines asynchronous DNS requests and provides name resolving API. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3665-01 - The c-ares C library defines asynchronous DNS requests and provides name resolving API. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-3660-01 - The c-ares C library defines asynchronous DNS requests and provides name resolving API. Issues addressed include a denial of service vulnerability.
An update for c-ares is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32067: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and r...
Red Hat Security Advisory 2023-3559-01 - The c-ares C library defines asynchronous DNS requests and provides name resolving API. Issues addressed include a denial of service vulnerability.
An update for c-ares is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32067: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patc...
An update for c-ares is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32067: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection...
An update for c-ares is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32067: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patc...
Debian Linux Security Advisory 5419-1 - Two vulnerabilities were discovered in c-ares, an asynchronous name resolver library.
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.