
Real Time Automation 460 Series products with versions prior to v8.9.8 are vulnerable to cross-site scripting, which could allow an attacker to run any JavaScript reference from the URL string. If this were to occur, the gateway's HTTP interface would redirect to the main page, which is index.htm.



CVE-2023-4523

Red Hat Security Advisory 2023-5362-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:18 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:5362-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5362  
Issue date:        2023-09-26  
CVE Names:         CVE-2022-25883 CVE-2023-32002 CVE-2023-32006  
                   CVE-2023-32559  
====================================================================  
1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (18). (BZ#2234409)

Security Fix(es):

* nodejs: Permissions policies can be bypassed via Module._load  
(CVE-2023-32002)

* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

* nodejs: Permissions policies can impersonate other modules in using  
module.constructor.createRequire() (CVE-2023-32006)

* nodejs: Permissions policies can be bypassed via process.binding  
(CVE-2023-32559)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service  
2230948 - CVE-2023-32002 nodejs: Permissions policies can be bypassed via Module._load  
2230955 - CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()  
2230956 - CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding  
2234409 - nodejs:18/nodejs: Rebase to the latest Nodejs 18 release [rhel-8] [rhel-8.8.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-18.17.1-1.module+el8.8.0+19757+8ca87034.src.rpm  
nodejs-nodemon-3.0.1-1.module+el8.8.0+19757+8ca87034.src.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.src.rpm

aarch64:  
nodejs-18.17.1-1.module+el8.8.0+19757+8ca87034.aarch64.rpm  
nodejs-debuginfo-18.17.1-1.module+el8.8.0+19757+8ca87034.aarch64.rpm  
nodejs-debugsource-18.17.1-1.module+el8.8.0+19757+8ca87034.aarch64.rpm  
nodejs-devel-18.17.1-1.module+el8.8.0+19757+8ca87034.aarch64.rpm  
nodejs-full-i18n-18.17.1-1.module+el8.8.0+19757+8ca87034.aarch64.rpm  
npm-9.6.7-1.18.17.1.1.module+el8.8.0+19757+8ca87034.aarch64.rpm

noarch:  
nodejs-docs-18.17.1-1.module+el8.8.0+19757+8ca87034.noarch.rpm  
nodejs-nodemon-3.0.1-1.module+el8.8.0+19757+8ca87034.noarch.rpm  
nodejs-packaging-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm  
nodejs-packaging-bundler-2021.06-4.module+el8.7.0+15582+19c314fa.noarch.rpm

ppc64le:  
nodejs-18.17.1-1.module+el8.8.0+19757+8ca87034.ppc64le.rpm  
nodejs-debuginfo-18.17.1-1.module+el8.8.0+19757+8ca87034.ppc64le.rpm  
nodejs-debugsource-18.17.1-1.module+el8.8.0+19757+8ca87034.ppc64le.rpm  
nodejs-devel-18.17.1-1.module+el8.8.0+19757+8ca87034.ppc64le.rpm  
nodejs-full-i18n-18.17.1-1.module+el8.8.0+19757+8ca87034.ppc64le.rpm  
npm-9.6.7-1.18.17.1.1.module+el8.8.0+19757+8ca87034.ppc64le.rpm

s390x:  
nodejs-18.17.1-1.module+el8.8.0+19757+8ca87034.s390x.rpm  
nodejs-debuginfo-18.17.1-1.module+el8.8.0+19757+8ca87034.s390x.rpm  
nodejs-debugsource-18.17.1-1.module+el8.8.0+19757+8ca87034.s390x.rpm  
nodejs-devel-18.17.1-1.module+el8.8.0+19757+8ca87034.s390x.rpm  
nodejs-full-i18n-18.17.1-1.module+el8.8.0+19757+8ca87034.s390x.rpm  
npm-9.6.7-1.18.17.1.1.module+el8.8.0+19757+8ca87034.s390x.rpm

x86_64:  
nodejs-18.17.1-1.module+el8.8.0+19757+8ca87034.x86_64.rpm  
nodejs-debuginfo-18.17.1-1.module+el8.8.0+19757+8ca87034.x86_64.rpm  
nodejs-debugsource-18.17.1-1.module+el8.8.0+19757+8ca87034.x86_64.rpm  
nodejs-devel-18.17.1-1.module+el8.8.0+19757+8ca87034.x86_64.rpm  
nodejs-full-i18n-18.17.1-1.module+el8.8.0+19757+8ca87034.x86_64.rpm  
npm-9.6.7-1.18.17.1.1.module+el8.8.0+19757+8ca87034.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-25883  
https://access.redhat.com/security/cve/CVE-2023-32002  
https://access.redhat.com/security/cve/CVE-2023-32006  
https://access.redhat.com/security/cve/CVE-2023-32559  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlEvhIAAoJENzjgjWX9erEwokP+wUSQUFjqSMnuYRFCakZSptX  
Aujcv/u8hIFe0P1L1hTy28LpSZMhNGLNLf22YJd/Z9+78S/12GAOIk3CBmuObE1H  
PpAO55SoVmk/LkSmserL1cwrgJh3Pa0+JpKPf06vWKvstnF3QgDiAqV1dE+LcfCB  
f5yhqbjEbQVRewMvcEq+H684KbeA1xBIraZGqZ7g/PVwz5QS/zDcBemvLGVnMG44  
s6v11jHQRi2WYBlgSYaexXAJIgZbGsdSsEIGfAdtEFi3UWo3CzLSszIboZNmJAVi  
xjUZD/YSckm/NhGJr8q8jyPs5i5TQ2G8o13iNdUXgI/fbs8qaFph+qrIw2p1rt7q  
8vws7hNSWrAceqioGWhI427kahTMkVqArfp67tyiuaAP1c0N8DWJb+F0aN9Te6Pv  
3HTqkHOu9uvMlVtCsCLOwBBrJmUEeAz7ry7o7W6+xPlzxFqU5S/jWK6rw3hrvE74  
B/in+FQ0NbVhJtGNmR43T+P0aFY5xu2lBy7OdS+0uTNwliw7WkXvT6suAMJcbJOJ  
bQZXvCssk8A83S2/sRh5Sw4fl8B25/TFjMN2AP61ic7aYXz6Sd0LCb4Kt+UL4TX9  
aYC1qMNXr3S8AGX9JRL9X62bg6M5rHvi1ti+Ya5SFvMhy9hR4CfgP6lSRjM+1MFn  
2ISllpwsZOaLug29+IBd  
=USZD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5362-01

Red Hat Security Advisory 2023-5361-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, bypass, and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:16 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:5361-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5361  
Issue date:        2023-09-26  
CVE Names:         CVE-2022-25883 CVE-2023-30581 CVE-2023-30588  
                   CVE-2023-30589 CVE-2023-30590 CVE-2023-32002  
                   CVE-2023-32006 CVE-2023-32559  
====================================================================  
1. Summary:

An update for the nodejs:16 module is now available for Red Hat Enterprise  
Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (16). (BZ#2223679, BZ#2223681, BZ#2223683, BZ#2223685, BZ#2223687,  
BZ#2233892)

Security Fix(es):

* nodejs: Permissions policies can be bypassed via Module._load  
(CVE-2023-32002)

* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

* nodejs: mainModule.proto bypass experimental policy mechanism  
(CVE-2023-30581)

* nodejs: process interuption due to invalid Public Key information in x509  
certificates (CVE-2023-30588)

* nodejs: HTTP Request Smuggling via Empty headers separated by CR  
(CVE-2023-30589)

* nodejs: DiffieHellman do not generate keys after setting a private key  
(CVE-2023-30590)

* nodejs: Permissions policies can impersonate other modules in using  
module.constructor.createRequire() (CVE-2023-32006)

* nodejs: Permissions policies can be bypassed via process.binding  
(CVE-2023-32559)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* nodejs:16/nodejs: nodejs.prov doesn't generate the bundled dependency for  
modules starting @ like @colors/colors (BZ#2237395)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service  
2219824 - CVE-2023-30581 nodejs: mainModule.proto bypass experimental policy mechanism  
2219838 - CVE-2023-30588 nodejs: process interuption due to invalid Public Key information in x509 certificates  
2219841 - CVE-2023-30589 nodejs: HTTP Request Smuggling via Empty headers separated by CR  
2219842 - CVE-2023-30590 nodejs: DiffieHellman do not generate keys after setting a private key  
2223679 - nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-8] [rhel-8.6.0.z]  
2230948 - CVE-2023-32002 nodejs: Permissions policies can be bypassed via Module._load  
2230955 - CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()  
2230956 - CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding  
2233892 - nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-8] [rhel-8.6.0.z]  
2237395 - nodejs:16/nodejs: nodejs.prov doesn't generate the bundled dependency for modules starting @ like @colors/colors [rhel-8.6.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.src.rpm  
nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.src.rpm  
nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.src.rpm

aarch64:  
nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm  
nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm  
nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.aarch64.rpm

noarch:  
nodejs-docs-16.20.2-2.module+el8.6.0+19897+9590a839.noarch.rpm  
nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.noarch.rpm  
nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.noarch.rpm

ppc64le:  
nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm  
nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm  
nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.ppc64le.rpm

s390x:  
nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm  
nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm  
nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.s390x.rpm

x86_64:  
nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm  
nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm  
nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-25883  
https://access.redhat.com/security/cve/CVE-2023-30581  
https://access.redhat.com/security/cve/CVE-2023-30588  
https://access.redhat.com/security/cve/CVE-2023-30589  
https://access.redhat.com/security/cve/CVE-2023-30590  
https://access.redhat.com/security/cve/CVE-2023-32002  
https://access.redhat.com/security/cve/CVE-2023-32006  
https://access.redhat.com/security/cve/CVE-2023-32559  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlEvhMAAoJENzjgjWX9erEi5IP/jdC6ZeTw1731qcDvIwRJBMw  
vW4r9w8sp33RdM+kdyeXnvCf8saD6ipc9hmE6tkBGXbx9o9hUq6dbkYkAHSUQN+s  
3oI8UJU6FaLYrfB7LHYgNWJYlvdLJ7ZmSq8EG/LkCezsvJOCl7BczHtRTR9NQx9l  
fZGV3jeGnH/A9rts/zVaEnnf4pIqXTOeEm67GtHkscrS22cMZDQ0qsJ7+3068Oxe  
NuuqW2mXnBGy3fomdxUqoWVqOtqbxRK+RoXQc3s4acyM0nSZwjWF+ZITR1Fd9BKh  
VpTWV1jNWZ9ZNsUhIiEOEMyS2FcLt+3VFHsQzs2PtiD6R/AiY3BihqDsjljGt1IX  
HE5627aG2uu5hq3XYxDgsbQecBAA7QbwrN+eGF2YTsPC6GFGtP4A+SGwQvE9LQR8  
V1aGfX7xiE8JcaMsSuqSkuhPVb0XyCfidcv9EuN8iqnfWL0cwUZeuo/oiPxpB1Tl  
CXpVoZuUeUcRRUYMW1Gw0wtL0UBPE4V645ysAMuAFyIgO2h8IFxDnF2j3tdQq7cE  
lNvG7ZFmLNtzi5cg7iX0t7dm0MA85r98QOh+7M41g2GwgAkeCqmOaznTgbrUmUPD  
bnGxJ3wSih1VJ/MlAfQLhFb39kfJj6cj33d7XBCM8aF0EnhQ5JKISSO2bTQYHbQY  
BhztaX0whwtE9+G9HxIg  
=1KUc  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5361-01

Red Hat Security Advisory 2023-5360-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:16 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:5360-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5360  
Issue date:        2023-09-26  
CVE Names:         CVE-2022-25883 CVE-2023-32002 CVE-2023-32006  
                   CVE-2023-32559  
====================================================================  
1. Summary:

An update for the nodejs:16 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (16). (BZ#2233891)

Security Fix(es):

* nodejs: Permissions policies can be bypassed via Module._load  
(CVE-2023-32002)

* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

* nodejs: Permissions policies can impersonate other modules in using  
module.constructor.createRequire() (CVE-2023-32006)

* nodejs: Permissions policies can be bypassed via process.binding  
(CVE-2023-32559)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* nodejs:16/nodejs: nodejs.prov doesn't generate the bundled dependency for  
modules starting @ like @colors/colors (BZ#2237394)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service  
2230948 - CVE-2023-32002 nodejs: Permissions policies can be bypassed via Module._load  
2230955 - CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()  
2230956 - CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding  
2233891 - nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-8] [rhel-8.8.0.z]  
2237394 - nodejs:16/nodejs: nodejs.prov doesn't generate the bundled dependency for modules starting @ like @colors/colors [rhel-8.8.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-16.20.2-2.module+el8.8.0+19898+ab99ba34.src.rpm  
nodejs-nodemon-3.0.1-1.module+el8.8.0+19764+7eed1ca3.src.rpm  
nodejs-packaging-26-1.module+el8.8.0+19857+6d2a104d.src.rpm

aarch64:  
nodejs-16.20.2-2.module+el8.8.0+19898+ab99ba34.aarch64.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.8.0+19898+ab99ba34.aarch64.rpm  
nodejs-debugsource-16.20.2-2.module+el8.8.0+19898+ab99ba34.aarch64.rpm  
nodejs-devel-16.20.2-2.module+el8.8.0+19898+ab99ba34.aarch64.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.8.0+19898+ab99ba34.aarch64.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.8.0+19898+ab99ba34.aarch64.rpm

noarch:  
nodejs-docs-16.20.2-2.module+el8.8.0+19898+ab99ba34.noarch.rpm  
nodejs-nodemon-3.0.1-1.module+el8.8.0+19764+7eed1ca3.noarch.rpm  
nodejs-packaging-26-1.module+el8.8.0+19857+6d2a104d.noarch.rpm

ppc64le:  
nodejs-16.20.2-2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm  
nodejs-debugsource-16.20.2-2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm  
nodejs-devel-16.20.2-2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm

s390x:  
nodejs-16.20.2-2.module+el8.8.0+19898+ab99ba34.s390x.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.8.0+19898+ab99ba34.s390x.rpm  
nodejs-debugsource-16.20.2-2.module+el8.8.0+19898+ab99ba34.s390x.rpm  
nodejs-devel-16.20.2-2.module+el8.8.0+19898+ab99ba34.s390x.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.8.0+19898+ab99ba34.s390x.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.8.0+19898+ab99ba34.s390x.rpm

x86_64:  
nodejs-16.20.2-2.module+el8.8.0+19898+ab99ba34.x86_64.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.8.0+19898+ab99ba34.x86_64.rpm  
nodejs-debugsource-16.20.2-2.module+el8.8.0+19898+ab99ba34.x86_64.rpm  
nodejs-devel-16.20.2-2.module+el8.8.0+19898+ab99ba34.x86_64.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.8.0+19898+ab99ba34.x86_64.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.8.0+19898+ab99ba34.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-25883  
https://access.redhat.com/security/cve/CVE-2023-32002  
https://access.redhat.com/security/cve/CVE-2023-32006  
https://access.redhat.com/security/cve/CVE-2023-32559  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlEvhOAAoJENzjgjWX9erEP0AQAJgFJ9+h63XAL1MxDUvmQ6CV  
9vz7/wNU8Z3b/3N4UIa7M5bopk9CoaY1kmgINrHAO9mcmX/XpIgjzjcY3v5xEpge  
u3Ggwwa13OmxPqNfQfOH4mqdUEf11yKfAzLPlTItIA0PXd2cIhmdikze0pvvcQuA  
KW0BkH4vODrJT/wYPaQhmyasvyBbs4TlTfvBpb9adwQwUyy8vWfaIyBS+AW8T4u1  
zED7deM00Sq5ldMMVGy8cgCyO+jKG65ctNtowoer1poeYWPrxC7Mwxbw9guZ6KWN  
xMrf7OJRCxuAJJwraDA55us4tFwoh5McQK1Q774cLl5ZRSd88jYRz3FJJcEMgQxr  
Jl5WQSLqPIuInmYW5TVCbQ5ckkB/WW719yJ+tF2YfwrY9XdqH+B+QuNTlMrDnuDn  
bn3YLmJDFDDxifCxKMcZO5uZ8/YpgWJ7Gx4DuOA7h9rzltLCaQy7r9+zOsW94tIO  
rWIrZ/YFP9MYFI4qBnET7OKspcEho5bPDastOS6Tg0ew9RvxE6mcZ2FaafFUNc/k  
LdpBsD/FcVY3Js/JN9wSQ6Y9o5P78kvVNoFg65409sIJZPH+LNC6t/tV7VFDSKTi  
kTaEl584sEClW6T4hC/TYhJyEkUhZspVhnSwkOmlEVYodjWuPDuj7pN/akYQrcVB  
X0FgvieX2DR7WApPA5t7  
=OyxK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5360-01

Red Hat Security Advisory 2023-5363-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:18 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:5363-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5363  
Issue date:        2023-09-26  
CVE Names:         CVE-2022-25883 CVE-2023-32002 CVE-2023-32006  
                   CVE-2023-32559  
====================================================================  
1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise  
Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (18). (BZ#2223313, BZ#2234404)

Security Fix(es):

* nodejs: Permissions policies can be bypassed via Module._load  
(CVE-2023-32002)

* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

* nodejs: Permissions policies can impersonate other modules in using  
module.constructor.createRequire() (CVE-2023-32006)

* nodejs: Permissions policies can be bypassed via process.binding  
(CVE-2023-32559)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service  
2223313 - nodejs:18/nodejs: Rebase to the latest Nodejs 18 release [rhel-9] [rhel-9.2.0.z]  
2230948 - CVE-2023-32002 nodejs: Permissions policies can be bypassed via Module._load  
2230955 - CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()  
2230956 - CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding  
2234404 - nodejs:18/nodejs: Rebase to the latest Nodejs 18 release [rhel-9] [rhel-9.2.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
nodejs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.src.rpm  
nodejs-nodemon-3.0.1-1.module+el9.2.0.z+19753+58118bc0.src.rpm  
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.src.rpm

aarch64:  
nodejs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm  
nodejs-debuginfo-18.17.1-1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm  
nodejs-debugsource-18.17.1-1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm  
nodejs-devel-18.17.1-1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm  
nodejs-full-i18n-18.17.1-1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm  
npm-9.6.7-1.18.17.1.1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm

noarch:  
nodejs-docs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.noarch.rpm  
nodejs-nodemon-3.0.1-1.module+el9.2.0.z+19753+58118bc0.noarch.rpm  
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm  
nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm

ppc64le:  
nodejs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm  
nodejs-debuginfo-18.17.1-1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm  
nodejs-debugsource-18.17.1-1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm  
nodejs-devel-18.17.1-1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm  
nodejs-full-i18n-18.17.1-1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm  
npm-9.6.7-1.18.17.1.1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm

s390x:  
nodejs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.s390x.rpm  
nodejs-debuginfo-18.17.1-1.module+el9.2.0.z+19753+58118bc0.s390x.rpm  
nodejs-debugsource-18.17.1-1.module+el9.2.0.z+19753+58118bc0.s390x.rpm  
nodejs-devel-18.17.1-1.module+el9.2.0.z+19753+58118bc0.s390x.rpm  
nodejs-full-i18n-18.17.1-1.module+el9.2.0.z+19753+58118bc0.s390x.rpm  
npm-9.6.7-1.18.17.1.1.module+el9.2.0.z+19753+58118bc0.s390x.rpm

x86_64:  
nodejs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm  
nodejs-debuginfo-18.17.1-1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm  
nodejs-debugsource-18.17.1-1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm  
nodejs-devel-18.17.1-1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm  
nodejs-full-i18n-18.17.1-1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm  
npm-9.6.7-1.18.17.1.1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-25883  
https://access.redhat.com/security/cve/CVE-2023-32002  
https://access.redhat.com/security/cve/CVE-2023-32006  
https://access.redhat.com/security/cve/CVE-2023-32559  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlEvhJAAoJENzjgjWX9erEo5YQAJrAJckYpC4Ba1rhDGGQ46/P  
3lbT2QoOiy7SGCGgplFmyH5PTYmS3WLfxFbvjLniRHMODBxBHG23nCDdBKNQGK6x  
tS+jPaDt9fX3Gl2Q/oIccTk+h8zkUQBwYv23fRh/bpagEtrcTWoMkRfeVWT52gs0  
gjfu2Ez+i+06OufKgAvYYoSKpGcq9QDQ1UGGqR14AuID2wlmJ5bJ0TtfhWnVHoOq  
cHHGhLCtzasmk+k8Gi4zYfp3dAyUKA7253rxyH73dr6BQr7sgcO0SNW31Ur3Gjwp  
dGLsA4ydgu7NnoRl5R6zjlmPKkgUawZ4aV9LvAePa5hu86rbcHwt/uAwtu3OgHs+  
6Hn7zUEbXCF1BXtAVUkmmEWTEiMZ9+2B7JvzbkxambM0lr6RMctJ+irh1429k2wr  
RlXmFSN2jZUP7wZGSlG7+U6vXI0JW64FlE0oWmKsaxvAtaPTbDU8nA+VejOhplDe  
Nx1jeGb6cJLplG/d3nsGDGrYSrkG1IXzBVKBvfW4qBdicOHNO6Xy32CVH1PmD6V4  
VX4C5+PKl0OyzIYxXSlIGbn02cZg1J3tW0cbdKOK3lsRD4cbQVNl2234M+aFFRKk  
j8D+NiHmbMpXDSHHP6S1T3xpWeJ6Wl9TRCrcYPPbJNQXS8x4okGAnunOUqSqJNsf  
1+N9c9dYtcCCjI1NnmHA  
=1q20  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5363-01

This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 17. An attacker with JavaScript execution may be able to execute arbitrary code.

Released September 26, 2023

**Safari**

Available for: macOS Monterey and macOS Ventura

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A window management issue was addressed with improved state management.

CVE-2023-40417: Narendra Bhati From Suma Soft Pvt. Ltd, Pune (India)

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: An attacker with JavaScript execution may be able to execute arbitrary code

Description: This issue was addressed with improved iframe sandbox enforcement.

WebKit Bugzilla: 251276  
CVE-2023-40451: an anonymous researcher

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256551  
CVE-2023-41074: 이준성(Junsung Lee) of Cross Republic and me Li

**WebKit**

Available for: macOS Monterey and macOS Ventura

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 239758  
CVE-2023-35074: Abysslab Dong Jun Kim(@smlijun) and Jong Seong Kim(@nevul37)

**WebKit**

Available for: macOS Ventura

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 261544  
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

CVE-2023-40451: About the security content of Safari 17

Dreamer CMS v4.1.3 was discovered to contain an arbitrary file read vulnerability via the component /admin/TemplateController.java.

解决方案

致力于帮助更多的中小企业树立线上企业品牌，实现互联网转型

*   政府
    
    赋予每个政府机构和每个人以强大的力量，助其取得更大成就。
    
    推动经济增长和发展
    
    建设可持续发展未来
    
    提供安全可靠的服务
    
    实现个性化数字体验
    
    政府
    
    赋予每个政府机构和每个人以强大的力量，助其取得更大成就。
    
    推动经济增长和发展
    
    刺激经济增长，为员工提供培训、技能提升机会和新计划。
    
    建设可持续发展未来
    
    利用新兴技术的力量创造更美好的未来。
    
    提供安全可靠的服务
    
    通过采用最高安全性和合规性标准，构建值得信赖的政府服务。
    
    实现个性化数字体验
    
    利用政府解决方案为个人和企业提供可访问的包容性平台和增强数字服务。
    
*   协会
    
    流程繁琐复杂 邀约渠道复杂 互动场景单一 参会者数据单一
    
    协会
    
    流程繁琐复杂 邀约渠道复杂 互动场景单一 参会者数据单一
    
    流程繁琐复杂
    
    参会者多，嘉宾多，行程多，需要反复确认嘉宾和参会者日程，而工作人员就那些
    
    互动场景单一
    
    互动场景少，内容触达难实现，参会者反馈和体验无法收集
    
*   加快您成功步伐
    
    当今时代，局势瞬息万变。我们拥有无可比拟的威胁情报，只要是发现过一次的威胁，就能在所有位置保护企业免受危害。
    
    简化安全保护
    
    通过快速部署获得强大的保护，利用自动、准确的警报来节省时间。因此，您可以将精力集中在对业务最重要的工作上。
    
    保护您的未来
    
    您再也不必随着业务的增长而不断更改安全策略。充分利用我们的资源和专业知识，推动您的企业向前发展。
    
*   学校
    
    学生是我国的一个特殊群体,增强学生体质, 促进学生健康成长,是关系到国家和民族未来的大事。
    
    基于数据和事实
    
    数字校园建设目标
    
    助力教师提升专业水平
    
    学校
    
    学生是我国的一个特殊群体,增强学生体质, 促进学生健康成长,是关系到国家和民族未来的大事。
    
    基于数据和事实
    
    基于数据和事实的实证分析，立足于区域生涯教育的基础和开展现状
    
    数字校园建设目标
    
    实现校园内教学、科研、管理、服务的数字化、信息化、网络化，深化教育改革，提高办学质量、办学效益和科研水平
    
    助力教师提升专业水平
    
    帮助学校生涯教师提升专业水平，提高学校生涯课程教学的质量
    
*   学习型组织
    
    结合企业组织架构，按不同部门和岗位科学安排培训学习任务，注重培训学习效果，打造学习型组织。
    
    知识库
    
    通过数字化平台转化承载培训学习课程内容，沉淀企业知识库，为企业经营管理赋能。
    

立即咨询

合作客户

我们深知合作才能共赢，和众多知名企业达成深入合作

*   公司新闻
    
    二、资源目录和代码之间的关系 公司新闻
    
    二、资源目录和代码之间的关系 公司新闻
    
    一、开发环境搭建及项目导入 公司新闻
    
    查看更多
    
*   行业新闻
    
    智慧校园管理系统平台组成内容有哪些 行业新闻
    
    中小学管理系统开发过程中遇到的问题 行业新闻
    
    智慧校园管理系统平台组成内容有哪些 行业新闻
    
    查看更多
    
*   更新记录
    
    梦想家内容管理系统部署文档 更新记录
    
    梦想家内容管理系统v4.0.0发布了 更新记录
    
    梦想家内容管理系统部署文档 更新记录
    
    查看更多

CVE-2023-43856: Dreamer CMS 梦想家内容管理系统

In Apollo  change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.

CVE-2023-30959: Palantir | Trust and Security Portal

Palantir Gotham was found to be vulnerable to a bug where under certain circumstances, the frontend could have applied an incorrect classification to a newly created property or link.

CVE-2023-30961: Palantir | Trust and Security Portal

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

Issued:

2023-08-31

Updated:

2023-08-31

**RHSA-2023:4918 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: Red Hat Single Sign-On 7.6.5 security update on RHEL 7

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

New Red Hat Single Sign-On 7.6.5 packages are now available for Red Hat Enterprise Linux 7.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.  

This release of Red Hat Single Sign-On 7.6.5 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.  

Security Fix(es):  

*   jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
*   jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
*   undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.  

For details on how to apply this update, refer to:  

https://access.redhat.com/articles/11258

**Affected Products**

*   Red Hat Single Sign-On 7.6 for RHEL 7 x86\_64

**Fixes**

*   BZ - 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
*   BZ - 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
*   BZ - 2209689 - CVE-2023-3223 undertow: OutOfMemoryError due to @MultipartConfig handling

**Red Hat Single Sign-On 7.6 for RHEL 7**

SRPM

rh-sso7-keycloak-18.0.9-1.redhat\_00001.1.el7sso.src.rpm

SHA-256: 815b38ee5176e3db39d67d75c58e3da2d2497beb98bf0285571d956ce2f813c2

x86\_64

rh-sso7-keycloak-18.0.9-1.redhat\_00001.1.el7sso.noarch.rpm

SHA-256: 1d66f533b329f7eb6502b3c1883a610f0ba13eb91192a770eebdc588bac5cacb

rh-sso7-keycloak-server-18.0.9-1.redhat\_00001.1.el7sso.noarch.rpm

SHA-256: f74947d427d57dfa47aa747c0a22964487151056b44a88eeeaa7bc8d41d564bd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Tag

#java