ALSA-2023:1743

[ALSA-2023:1743] Important: nodejs:14 security, bug fix, and enhancement update

Type:

security

Severity:

important

Release date:

2023-04-20

Description:

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. 

The following packages have been upgraded to a later upstream version: nodejs (14.21.3).

Security Fix(es):

* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)
* c-ares: buffer overflow in config_sortlist() due to missing string length check (CVE-2022-4904)
* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
* Node.js: Permissions policies can be bypassed via process.mainModule (CVE-2023-23918)
* Node.js: insecure loading of ICU data through ICU_DATA environment variable (CVE-2023-23920)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	nodejs-full-i18n-14.21.3-1.module_el8.7.0+3551+53700ee8.aarch64.rpm	1cae94bdfcd9ce1218f0275b362e5255663607cc1ba2227ff1e119f1153a8dc7
aarch64	nodejs-devel-14.21.3-1.module_el8.7.0+3551+53700ee8.aarch64.rpm	760f334215fefbaec4fc953f14ede70fe885b8a756b9e3ba9919090b182deaae
aarch64	nodejs-14.21.3-1.module_el8.7.0+3551+53700ee8.aarch64.rpm	9814211653f857c5a1b8ce27dc984c2434d8c66cbf29fdaa68f9d37f57a9b363
aarch64	npm-6.14.18-1.14.21.3.1.module_el8.7.0+3551+53700ee8.aarch64.rpm	ff69d558be4e188d2414b126a35f9eebd129a2ffae710ca04795b258a9de6892
noarch	nodejs-packaging-23-3.module_el8.4.0+2522+3bd42762.noarch.rpm	5ec709f70c833b784601552cba74067eb2a98aecaf8403431e26580abb8601b5
noarch	nodejs-nodemon-2.0.20-3.module_el8.7.0+3551+53700ee8.noarch.rpm	856719cbce987e7bb337c2c3ea49b2e78fab3f6706787162f18625a4357576fe
noarch	nodejs-docs-14.21.3-1.module_el8.7.0+3551+53700ee8.noarch.rpm	9fe56dbb0aeebfef640feee493a80af2cea2f7011fa3bbb12d4eb72a92682da7
ppc64le	nodejs-full-i18n-14.21.3-1.module_el8.7.0+3551+53700ee8.ppc64le.rpm	a09a6dc0dd8b5e96965d824d6933e80deee71fcbfe7305509fbebe7b8e457775
ppc64le	nodejs-devel-14.21.3-1.module_el8.7.0+3551+53700ee8.ppc64le.rpm	b351c2899a471a3c0f41706c60be3cf7fc7e542b6e125dfc711fe40fbd7fca64
ppc64le	npm-6.14.18-1.14.21.3.1.module_el8.7.0+3551+53700ee8.ppc64le.rpm	b710dcc8b0f795dede9071aba8a3ba64bb038c0eea41101eeac7238742a0b856
ppc64le	nodejs-14.21.3-1.module_el8.7.0+3551+53700ee8.ppc64le.rpm	e1d0fd2a82f6f6b38129c467a3431fdf9fe68af3e18802ffec8e6178a45700ca
s390x	npm-6.14.18-1.14.21.3.1.module_el8.7.0+3551+53700ee8.s390x.rpm	46ab8b24e4b459d6f34962c42b03a683bff821bb04e40ec9199c3db6d9b65d63
s390x	nodejs-14.21.3-1.module_el8.7.0+3551+53700ee8.s390x.rpm	5f9a3cf3d8600ef5f71db9b5745189d0ce0a9832dcac65aa72dbdc3ab3692a03
s390x	nodejs-devel-14.21.3-1.module_el8.7.0+3551+53700ee8.s390x.rpm	b4f5d7e1a89ce660d07e868bc2425c0de9741d4e2429c85c8de69e79e8ddd4d3
s390x	nodejs-full-i18n-14.21.3-1.module_el8.7.0+3551+53700ee8.s390x.rpm	ff0ce7f82660e02ea8796d66c94d216a9211037281befad8cf56b8d3be249048
x86_64	npm-6.14.18-1.14.21.3.1.module_el8.7.0+3551+53700ee8.x86_64.rpm	1e7652bce41780a113bfdece70142f233c1939ebe248bf23daa0fa28e27d6c79
x86_64	nodejs-14.21.3-1.module_el8.7.0+3551+53700ee8.x86_64.rpm	b2e00babec1978cce37fabe5da92b684743306c4ddb181ba6cacae4c4c53cb37
x86_64	nodejs-full-i18n-14.21.3-1.module_el8.7.0+3551+53700ee8.x86_64.rpm	c96a096f0dd6c998f4d430c4d633b62954758bedf2cb8404bce3b809834366a7
x86_64	nodejs-devel-14.21.3-1.module_el8.7.0+3551+53700ee8.x86_64.rpm	eafa79592e907572cd22f660a767d9a9903b63ce1da6792c650e1c1f799d7902

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.