ALSA-2023:7205

[ALSA-2023:7205] Important: nodejs:20 security update

Type:

security

Severity:

important

Release date:

2023-11-27

Description:

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. 

Security Fix(es):

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
* nodejs: permission model improperly protects against path traversal (CVE-2023-39331)
* nodejs: path traversal through path stored in Uint8Array (CVE-2023-39332)
* nodejs: integrity checks according to policies can be circumvented (CVE-2023-38552)
* nodejs: code injection via WebAssembly export names (CVE-2023-39333)
* node-undici: cookie leakage (CVE-2023-45143)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:

Updated packages listed below:

Architecture	Package	Checksum
aarch64	nodejs-20.8.1-1.module_el8.9.0+3675+0258a6d9.aarch64.rpm	2780a1bfaba6a69a2ad08d155f62e9dbd450fefaf143103606294905aaafcf73
aarch64	nodejs-full-i18n-20.8.1-1.module_el8.9.0+3675+0258a6d9.aarch64.rpm	3a6068f6463296909b3df2f313503e15599ecb42b5fdc59036fbd101f0b32a16
aarch64	nodejs-devel-20.8.1-1.module_el8.9.0+3675+0258a6d9.aarch64.rpm	8f537534bbb1928d7ecec274b0ee4d2bfa960addea7b9f5a03e180ff1aa4becf
aarch64	npm-10.1.0-1.20.8.1.1.module_el8.9.0+3675+0258a6d9.aarch64.rpm	9967de982cd020e5ca5dc9e599bfc43ed431a0ddc5cd3f88200642820803a541
noarch	nodejs-nodemon-3.0.1-1.module_el8.9.0+3675+0258a6d9.noarch.rpm	1a4d287d654bab634a2f004f9f98ac1d2e464e44717b935e6d08824838fcf7b0
noarch	nodejs-packaging-2021.06-4.module_el8.9.0+3684+11b9e959.noarch.rpm	2737beb0b9ef67ff6403ed0e4f69f5ab715d85eb5860974b3755cefb24e3b7f9
noarch	nodejs-docs-20.8.1-1.module_el8.9.0+3675+0258a6d9.noarch.rpm	a9b20be25f7c0e3413002ed9db020b3cd4bdfec08411bf35e7289293b03aec7b
noarch	nodejs-packaging-bundler-2021.06-4.module_el8.9.0+3684+11b9e959.noarch.rpm	b9f7128be10cd497d323808f86402c91a970afde6884b8967695e20fa4060629
ppc64le	nodejs-20.8.1-1.module_el8.9.0+3675+0258a6d9.ppc64le.rpm	3b876f1ec9b238543cdc7e2d71669bd10abecfeae42aa1e35a95c9c415fa632c
ppc64le	npm-10.1.0-1.20.8.1.1.module_el8.9.0+3675+0258a6d9.ppc64le.rpm	559c0e2ee25c797a743b7de55b9c92007e056f152d970aac01b1c2b63cee20a2
ppc64le	nodejs-full-i18n-20.8.1-1.module_el8.9.0+3675+0258a6d9.ppc64le.rpm	797f551eda6396b214b7286b69914ac46c3c1a2a63f8cb1adeec1766f30fd44e
ppc64le	nodejs-devel-20.8.1-1.module_el8.9.0+3675+0258a6d9.ppc64le.rpm	c0130cb81bd4a72cbd4d01bf9127cb5fb2f1c63ed7fdd5eddacca8ad06b4edca
s390x	nodejs-devel-20.8.1-1.module_el8.9.0+3675+0258a6d9.s390x.rpm	506b061673134077bcf5b3abeb54776ffe4a9add0aa592d602bca35a61d656e1
s390x	npm-10.1.0-1.20.8.1.1.module_el8.9.0+3675+0258a6d9.s390x.rpm	5cff3e7b54de09bcd62b5a2fcf1b1589e0ca75626b260e2fceda4f054d8b8055
s390x	nodejs-20.8.1-1.module_el8.9.0+3675+0258a6d9.s390x.rpm	6a28cd666d2352454b267cc716860735c7f73064b47d9e576875b4927a2caa6a
s390x	nodejs-full-i18n-20.8.1-1.module_el8.9.0+3675+0258a6d9.s390x.rpm	b3a5c20c974cb369f6c76386dbf05297af294c981abb3d23a4245f32ec993a7e
x86_64	nodejs-full-i18n-20.8.1-1.module_el8.9.0+3675+0258a6d9.x86_64.rpm	2dd67b4cbe65ec2d8f53ba022e35f3f5a9471634b9a072eba2419bf58a1ec0d8
x86_64	nodejs-devel-20.8.1-1.module_el8.9.0+3675+0258a6d9.x86_64.rpm	3da4c577397a8bc03ac3c27f3a05ae8b5286e1e7c2af7fb0569b034ac8d99cab
x86_64	nodejs-20.8.1-1.module_el8.9.0+3675+0258a6d9.x86_64.rpm	5400b6376bba47db958f1a9d3b3119152175a8e789ca37ac320fdc947e262046
x86_64	npm-10.1.0-1.20.8.1.1.module_el8.9.0+3675+0258a6d9.x86_64.rpm	6861c156eb07385bcc4fa6f9a3dcc33abe721a1c58c1f826d302699244b0663f

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.