[ALSA-2022:6595] Moderate: nodejs and nodejs-nodemon security and bug fix update
Type:
security
Severity:
moderate
Release date:
2023-09-15
Description:
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (16.16.0), nodejs-nodemon (2.0.19). (BZ#2124230, BZ#2124233) Security Fix(es): * nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace (CVE-2022-29244) * nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212) * nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213) * nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214) * nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215) * got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [almalinux-9] (BZ#2121019) * nodejs: Specify --with-default-icu-data-dir when using bootstrap build (BZ#2124299)
References:
Updated packages listed below:
Architecture Package Checksum
aarch64 nodejs-full-i18n-16.16.0-1.el9_0.aarch64.rpm 341bbdf24b30dcf749b592632904b7ad0692a38eaeeb28632f317cc399d33d2a
aarch64 nodejs-libs-16.16.0-1.el9_0.aarch64.rpm 5e80d64c8b7151bea4363eec453d2809a8945ea5ddfdbbeb2ec2e9a1df0771bc
aarch64 nodejs-16.16.0-1.el9_0.aarch64.rpm a0dd524a9d5dcaf7b564582911248fb0318f48bbf95e479cc155b64ee539cb08
aarch64 npm-8.11.0-1.16.16.0.1.el9_0.aarch64.rpm ab2f18d4f1b05ad24bc070962be7e2505f05d48f67faec9d9f5d91413dd1a01c
i686 nodejs-libs-16.16.0-1.el9_0.i686.rpm acd885218cbede5385cbbdd72d1c1a09bf892cc84949485ef60949dc135f33dd
noarch nodejs-nodemon-2.0.19-1.el9_0.noarch.rpm 462159fe602c6f7494478543678b5fc66877bb11997e9633ba0b7c0279cff5d9
noarch nodejs-docs-16.16.0-1.el9_0.noarch.rpm f8f6897b9cd5adec9ef29b49baf2fdc0ad181e2a04be3644c423923714e124ed
ppc64le npm-8.11.0-1.16.16.0.1.el9_0.ppc64le.rpm 2f4dc4caca9e7d7b71c8be2a4a524bbe8f9e036612bf8b5acddfe9bd1bd4bb9d
ppc64le nodejs-full-i18n-16.16.0-1.el9_0.ppc64le.rpm 51682ce169880e773e2ca69930dd82c78e002ef5135f09976a3d4eb9c78fe462
ppc64le nodejs-16.16.0-1.el9_0.ppc64le.rpm d0706af3205ba66519fecb0e3f67d0bdd0fde801e4d491f283150aaf74a8189f
ppc64le nodejs-libs-16.16.0-1.el9_0.ppc64le.rpm dd51ad79c3c2b730a338b1e9d0721ce1a4dab0f3974ea9c2f54970656d0a3eb6
s390x npm-8.11.0-1.16.16.0.1.el9_0.s390x.rpm 5012acac30b3193d44851431eea176d5d85c999da0d0714d0d0d9018e57b9215
s390x nodejs-16.16.0-1.el9_0.s390x.rpm 8367b283998785ca6393aa56dd7d2ca22332c6ebccdf1de3d596155df6124729
s390x nodejs-full-i18n-16.16.0-1.el9_0.s390x.rpm a9310950f78eabffa319b6c7450c943c0c667708870d8cebb0f0710166fc611f
s390x nodejs-libs-16.16.0-1.el9_0.s390x.rpm f4c469487099585e5a513787bcd38534b267d1ae350f9cd62031333b59393bda
x86_64 npm-8.11.0-1.16.16.0.1.el9_0.x86_64.rpm 39555437f50f35332d8822f44f1022cc7228bebba7dfef462e8e66190837515e
x86_64 nodejs-libs-16.16.0-1.el9_0.x86_64.rpm 99897cfc435862cd46d9c22d959ff268e22019ae96e180946c69a3b018c61ec3
x86_64 nodejs-16.16.0-1.el9_0.x86_64.rpm a204eaf57f71fc0e3c58333aa69e0f91e82d27c067e05526c215b03609c526cb
x86_64 nodejs-full-i18n-16.16.0-1.el9_0.x86_64.rpm a49a2af37b0b6d7dbc63455660f3d3bf6f082152731d53d02fba810917e0c497
Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.