Red Hat Security Advisory 2023-5361-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, bypass, and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:16 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:5361-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5361  
Issue date:        2023-09-26  
CVE Names:         CVE-2022-25883 CVE-2023-30581 CVE-2023-30588  
                   CVE-2023-30589 CVE-2023-30590 CVE-2023-32002  
                   CVE-2023-32006 CVE-2023-32559  
====================================================================  
1. Summary:

An update for the nodejs:16 module is now available for Red Hat Enterprise  
Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (16). (BZ#2223679, BZ#2223681, BZ#2223683, BZ#2223685, BZ#2223687,  
BZ#2233892)

Security Fix(es):

* nodejs: Permissions policies can be bypassed via Module._load  
(CVE-2023-32002)

* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

* nodejs: mainModule.proto bypass experimental policy mechanism  
(CVE-2023-30581)

* nodejs: process interuption due to invalid Public Key information in x509  
certificates (CVE-2023-30588)

* nodejs: HTTP Request Smuggling via Empty headers separated by CR  
(CVE-2023-30589)

* nodejs: DiffieHellman do not generate keys after setting a private key  
(CVE-2023-30590)

* nodejs: Permissions policies can impersonate other modules in using  
module.constructor.createRequire() (CVE-2023-32006)

* nodejs: Permissions policies can be bypassed via process.binding  
(CVE-2023-32559)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* nodejs:16/nodejs: nodejs.prov doesn't generate the bundled dependency for  
modules starting @ like @colors/colors (BZ#2237395)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service  
2219824 - CVE-2023-30581 nodejs: mainModule.proto bypass experimental policy mechanism  
2219838 - CVE-2023-30588 nodejs: process interuption due to invalid Public Key information in x509 certificates  
2219841 - CVE-2023-30589 nodejs: HTTP Request Smuggling via Empty headers separated by CR  
2219842 - CVE-2023-30590 nodejs: DiffieHellman do not generate keys after setting a private key  
2223679 - nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-8] [rhel-8.6.0.z]  
2230948 - CVE-2023-32002 nodejs: Permissions policies can be bypassed via Module._load  
2230955 - CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()  
2230956 - CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding  
2233892 - nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-8] [rhel-8.6.0.z]  
2237395 - nodejs:16/nodejs: nodejs.prov doesn't generate the bundled dependency for modules starting @ like @colors/colors [rhel-8.6.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.src.rpm  
nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.src.rpm  
nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.src.rpm

aarch64:  
nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm  
nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm  
nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.aarch64.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.aarch64.rpm

noarch:  
nodejs-docs-16.20.2-2.module+el8.6.0+19897+9590a839.noarch.rpm  
nodejs-nodemon-3.0.1-1.module+el8.6.0+19765+366b9144.noarch.rpm  
nodejs-packaging-26-1.module+el8.6.0+19856+c0c87259.noarch.rpm

ppc64le:  
nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm  
nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm  
nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.ppc64le.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.ppc64le.rpm

s390x:  
nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm  
nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm  
nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.s390x.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.s390x.rpm

x86_64:  
nodejs-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm  
nodejs-debugsource-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm  
nodejs-devel-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.6.0+19897+9590a839.x86_64.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.6.0+19897+9590a839.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-25883  
https://access.redhat.com/security/cve/CVE-2023-30581  
https://access.redhat.com/security/cve/CVE-2023-30588  
https://access.redhat.com/security/cve/CVE-2023-30589  
https://access.redhat.com/security/cve/CVE-2023-30590  
https://access.redhat.com/security/cve/CVE-2023-32002  
https://access.redhat.com/security/cve/CVE-2023-32006  
https://access.redhat.com/security/cve/CVE-2023-32559  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlEvhMAAoJENzjgjWX9erEi5IP/jdC6ZeTw1731qcDvIwRJBMw  
vW4r9w8sp33RdM+kdyeXnvCf8saD6ipc9hmE6tkBGXbx9o9hUq6dbkYkAHSUQN+s  
3oI8UJU6FaLYrfB7LHYgNWJYlvdLJ7ZmSq8EG/LkCezsvJOCl7BczHtRTR9NQx9l  
fZGV3jeGnH/A9rts/zVaEnnf4pIqXTOeEm67GtHkscrS22cMZDQ0qsJ7+3068Oxe  
NuuqW2mXnBGy3fomdxUqoWVqOtqbxRK+RoXQc3s4acyM0nSZwjWF+ZITR1Fd9BKh  
VpTWV1jNWZ9ZNsUhIiEOEMyS2FcLt+3VFHsQzs2PtiD6R/AiY3BihqDsjljGt1IX  
HE5627aG2uu5hq3XYxDgsbQecBAA7QbwrN+eGF2YTsPC6GFGtP4A+SGwQvE9LQR8  
V1aGfX7xiE8JcaMsSuqSkuhPVb0XyCfidcv9EuN8iqnfWL0cwUZeuo/oiPxpB1Tl  
CXpVoZuUeUcRRUYMW1Gw0wtL0UBPE4V645ysAMuAFyIgO2h8IFxDnF2j3tdQq7cE  
lNvG7ZFmLNtzi5cg7iX0t7dm0MA85r98QOh+7M41g2GwgAkeCqmOaznTgbrUmUPD  
bnGxJ3wSih1VJ/MlAfQLhFb39kfJj6cj33d7XBCM8aF0EnhQ5JKISSO2bTQYHbQY  
BhztaX0whwtE9+G9HxIg  
=1KUc  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5361-01

Red Hat Security Advisory 2023-5360-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:16 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:5360-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5360  
Issue date:        2023-09-26  
CVE Names:         CVE-2022-25883 CVE-2023-32002 CVE-2023-32006  
                   CVE-2023-32559  
====================================================================  
1. Summary:

An update for the nodejs:16 module is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (16). (BZ#2233891)

Security Fix(es):

* nodejs: Permissions policies can be bypassed via Module._load  
(CVE-2023-32002)

* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

* nodejs: Permissions policies can impersonate other modules in using  
module.constructor.createRequire() (CVE-2023-32006)

* nodejs: Permissions policies can be bypassed via process.binding  
(CVE-2023-32559)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* nodejs:16/nodejs: nodejs.prov doesn't generate the bundled dependency for  
modules starting @ like @colors/colors (BZ#2237394)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service  
2230948 - CVE-2023-32002 nodejs: Permissions policies can be bypassed via Module._load  
2230955 - CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()  
2230956 - CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding  
2233891 - nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-8] [rhel-8.8.0.z]  
2237394 - nodejs:16/nodejs: nodejs.prov doesn't generate the bundled dependency for modules starting @ like @colors/colors [rhel-8.8.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
nodejs-16.20.2-2.module+el8.8.0+19898+ab99ba34.src.rpm  
nodejs-nodemon-3.0.1-1.module+el8.8.0+19764+7eed1ca3.src.rpm  
nodejs-packaging-26-1.module+el8.8.0+19857+6d2a104d.src.rpm

aarch64:  
nodejs-16.20.2-2.module+el8.8.0+19898+ab99ba34.aarch64.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.8.0+19898+ab99ba34.aarch64.rpm  
nodejs-debugsource-16.20.2-2.module+el8.8.0+19898+ab99ba34.aarch64.rpm  
nodejs-devel-16.20.2-2.module+el8.8.0+19898+ab99ba34.aarch64.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.8.0+19898+ab99ba34.aarch64.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.8.0+19898+ab99ba34.aarch64.rpm

noarch:  
nodejs-docs-16.20.2-2.module+el8.8.0+19898+ab99ba34.noarch.rpm  
nodejs-nodemon-3.0.1-1.module+el8.8.0+19764+7eed1ca3.noarch.rpm  
nodejs-packaging-26-1.module+el8.8.0+19857+6d2a104d.noarch.rpm

ppc64le:  
nodejs-16.20.2-2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm  
nodejs-debugsource-16.20.2-2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm  
nodejs-devel-16.20.2-2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.8.0+19898+ab99ba34.ppc64le.rpm

s390x:  
nodejs-16.20.2-2.module+el8.8.0+19898+ab99ba34.s390x.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.8.0+19898+ab99ba34.s390x.rpm  
nodejs-debugsource-16.20.2-2.module+el8.8.0+19898+ab99ba34.s390x.rpm  
nodejs-devel-16.20.2-2.module+el8.8.0+19898+ab99ba34.s390x.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.8.0+19898+ab99ba34.s390x.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.8.0+19898+ab99ba34.s390x.rpm

x86_64:  
nodejs-16.20.2-2.module+el8.8.0+19898+ab99ba34.x86_64.rpm  
nodejs-debuginfo-16.20.2-2.module+el8.8.0+19898+ab99ba34.x86_64.rpm  
nodejs-debugsource-16.20.2-2.module+el8.8.0+19898+ab99ba34.x86_64.rpm  
nodejs-devel-16.20.2-2.module+el8.8.0+19898+ab99ba34.x86_64.rpm  
nodejs-full-i18n-16.20.2-2.module+el8.8.0+19898+ab99ba34.x86_64.rpm  
npm-8.19.4-1.16.20.2.2.module+el8.8.0+19898+ab99ba34.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-25883  
https://access.redhat.com/security/cve/CVE-2023-32002  
https://access.redhat.com/security/cve/CVE-2023-32006  
https://access.redhat.com/security/cve/CVE-2023-32559  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlEvhOAAoJENzjgjWX9erEP0AQAJgFJ9+h63XAL1MxDUvmQ6CV  
9vz7/wNU8Z3b/3N4UIa7M5bopk9CoaY1kmgINrHAO9mcmX/XpIgjzjcY3v5xEpge  
u3Ggwwa13OmxPqNfQfOH4mqdUEf11yKfAzLPlTItIA0PXd2cIhmdikze0pvvcQuA  
KW0BkH4vODrJT/wYPaQhmyasvyBbs4TlTfvBpb9adwQwUyy8vWfaIyBS+AW8T4u1  
zED7deM00Sq5ldMMVGy8cgCyO+jKG65ctNtowoer1poeYWPrxC7Mwxbw9guZ6KWN  
xMrf7OJRCxuAJJwraDA55us4tFwoh5McQK1Q774cLl5ZRSd88jYRz3FJJcEMgQxr  
Jl5WQSLqPIuInmYW5TVCbQ5ckkB/WW719yJ+tF2YfwrY9XdqH+B+QuNTlMrDnuDn  
bn3YLmJDFDDxifCxKMcZO5uZ8/YpgWJ7Gx4DuOA7h9rzltLCaQy7r9+zOsW94tIO  
rWIrZ/YFP9MYFI4qBnET7OKspcEho5bPDastOS6Tg0ew9RvxE6mcZ2FaafFUNc/k  
LdpBsD/FcVY3Js/JN9wSQ6Y9o5P78kvVNoFg65409sIJZPH+LNC6t/tV7VFDSKTi  
kTaEl584sEClW6T4hC/TYhJyEkUhZspVhnSwkOmlEVYodjWuPDuj7pN/akYQrcVB  
X0FgvieX2DR7WApPA5t7  
=OyxK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5360-01

Red Hat Security Advisory 2023-5363-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nodejs:18 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:5363-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5363  
Issue date:        2023-09-26  
CVE Names:         CVE-2022-25883 CVE-2023-32002 CVE-2023-32006  
                   CVE-2023-32559  
====================================================================  
1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise  
Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:  
nodejs (18). (BZ#2223313, BZ#2234404)

Security Fix(es):

* nodejs: Permissions policies can be bypassed via Module._load  
(CVE-2023-32002)

* nodejs-semver: Regular expression denial of service (CVE-2022-25883)

* nodejs: Permissions policies can impersonate other modules in using  
module.constructor.createRequire() (CVE-2023-32006)

* nodejs: Permissions policies can be bypassed via process.binding  
(CVE-2023-32559)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service  
2223313 - nodejs:18/nodejs: Rebase to the latest Nodejs 18 release [rhel-9] [rhel-9.2.0.z]  
2230948 - CVE-2023-32002 nodejs: Permissions policies can be bypassed via Module._load  
2230955 - CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()  
2230956 - CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding  
2234404 - nodejs:18/nodejs: Rebase to the latest Nodejs 18 release [rhel-9] [rhel-9.2.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
nodejs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.src.rpm  
nodejs-nodemon-3.0.1-1.module+el9.2.0.z+19753+58118bc0.src.rpm  
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.src.rpm

aarch64:  
nodejs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm  
nodejs-debuginfo-18.17.1-1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm  
nodejs-debugsource-18.17.1-1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm  
nodejs-devel-18.17.1-1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm  
nodejs-full-i18n-18.17.1-1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm  
npm-9.6.7-1.18.17.1.1.module+el9.2.0.z+19753+58118bc0.aarch64.rpm

noarch:  
nodejs-docs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.noarch.rpm  
nodejs-nodemon-3.0.1-1.module+el9.2.0.z+19753+58118bc0.noarch.rpm  
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm  
nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm

ppc64le:  
nodejs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm  
nodejs-debuginfo-18.17.1-1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm  
nodejs-debugsource-18.17.1-1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm  
nodejs-devel-18.17.1-1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm  
nodejs-full-i18n-18.17.1-1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm  
npm-9.6.7-1.18.17.1.1.module+el9.2.0.z+19753+58118bc0.ppc64le.rpm

s390x:  
nodejs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.s390x.rpm  
nodejs-debuginfo-18.17.1-1.module+el9.2.0.z+19753+58118bc0.s390x.rpm  
nodejs-debugsource-18.17.1-1.module+el9.2.0.z+19753+58118bc0.s390x.rpm  
nodejs-devel-18.17.1-1.module+el9.2.0.z+19753+58118bc0.s390x.rpm  
nodejs-full-i18n-18.17.1-1.module+el9.2.0.z+19753+58118bc0.s390x.rpm  
npm-9.6.7-1.18.17.1.1.module+el9.2.0.z+19753+58118bc0.s390x.rpm

x86_64:  
nodejs-18.17.1-1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm  
nodejs-debuginfo-18.17.1-1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm  
nodejs-debugsource-18.17.1-1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm  
nodejs-devel-18.17.1-1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm  
nodejs-full-i18n-18.17.1-1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm  
npm-9.6.7-1.18.17.1.1.module+el9.2.0.z+19753+58118bc0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-25883  
https://access.redhat.com/security/cve/CVE-2023-32002  
https://access.redhat.com/security/cve/CVE-2023-32006  
https://access.redhat.com/security/cve/CVE-2023-32559  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlEvhJAAoJENzjgjWX9erEo5YQAJrAJckYpC4Ba1rhDGGQ46/P  
3lbT2QoOiy7SGCGgplFmyH5PTYmS3WLfxFbvjLniRHMODBxBHG23nCDdBKNQGK6x  
tS+jPaDt9fX3Gl2Q/oIccTk+h8zkUQBwYv23fRh/bpagEtrcTWoMkRfeVWT52gs0  
gjfu2Ez+i+06OufKgAvYYoSKpGcq9QDQ1UGGqR14AuID2wlmJ5bJ0TtfhWnVHoOq  
cHHGhLCtzasmk+k8Gi4zYfp3dAyUKA7253rxyH73dr6BQr7sgcO0SNW31Ur3Gjwp  
dGLsA4ydgu7NnoRl5R6zjlmPKkgUawZ4aV9LvAePa5hu86rbcHwt/uAwtu3OgHs+  
6Hn7zUEbXCF1BXtAVUkmmEWTEiMZ9+2B7JvzbkxambM0lr6RMctJ+irh1429k2wr  
RlXmFSN2jZUP7wZGSlG7+U6vXI0JW64FlE0oWmKsaxvAtaPTbDU8nA+VejOhplDe  
Nx1jeGb6cJLplG/d3nsGDGrYSrkG1IXzBVKBvfW4qBdicOHNO6Xy32CVH1PmD6V4  
VX4C5+PKl0OyzIYxXSlIGbn02cZg1J3tW0cbdKOK3lsRD4cbQVNl2234M+aFFRKk  
j8D+NiHmbMpXDSHHP6S1T3xpWeJ6Wl9TRCrcYPPbJNQXS8x4okGAnunOUqSqJNsf  
1+N9c9dYtcCCjI1NnmHA  
=1q20  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5363-01

Sensitive information disclosure due to insufficient token field masking. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

CVE-2023-44158

Sensitive information disclosure due to spell-jacking. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

CVE-2023-44156

Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

CVE-2023-44155

Sensitive information disclosure and manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

CVE-2023-44154

Sensitive information disclosure due to cleartext storage of sensitive information in memory. The following products are affected: Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.

CVE-2023-44153

Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.

CVE-2023-44152

Stored cross-site scripting (XSS) vulnerability in protection plan name. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.

Tag

#linux