Issued:: 2022-09-13
Updated:: 2022-09-13

RHSA-2022:6449 - Moderate: nodejs:16 security and bug fix update

Synopsis

Moderate: nodejs:16 security and bug fix update

Type/Severity

Security Advisory Moderate

Topic

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)
nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213)
nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214)
nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215)
got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

nodejs:16/nodejs: rebase to latest upstream release (BZ#2106369)
nodejs:16/nodejs: Specify --with-default-icu-data-dir when using bootstrap build (BZ#2111416)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Product	Version	Arch
Red Hat Enterprise Linux for x86_64	8	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	8.8	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	8.6	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	8.8	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	8.6	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension	8.8	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension	8.6	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle	8.10	x86_64
Red Hat Enterprise Linux for Power, little endian	8	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	8.8	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	8.6	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle	8.10	ppc64le
Red Hat Enterprise Linux for IBM z Systems	8	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	8.8	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	8.6	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle	8.10	s390x
Red Hat Enterprise Linux for ARM 64	8	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support	8.8	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support	8.6	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle	8.10	aarch64
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	8.8	ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	8.6	ppc64le
Red Hat Enterprise Linux Server - TUS	8.8	x86_64
Red Hat Enterprise Linux Server - TUS	8.6	x86_64
Red Hat Enterprise Linux Server - AUS	8.6	x86_64

Updated Packages

nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.noarch.rpm
npm-8.11.0-1.16.16.0.3.module+el8.6.0+16248+76b0e185.x86_64.rpm
nodejs-full-i18n-16.16.0-3.module+el8.6.0+16248+76b0e185.x86_64.rpm
nodejs-16.16.0-3.module+el8.6.0+16248+76b0e185.src.rpm
nodejs-debuginfo-16.16.0-3.module+el8.6.0+16248+76b0e185.x86_64.rpm
nodejs-16.16.0-3.module+el8.6.0+16248+76b0e185.x86_64.rpm
nodejs-devel-16.16.0-3.module+el8.6.0+16248+76b0e185.x86_64.rpm
nodejs-docs-16.16.0-3.module+el8.6.0+16248+76b0e185.noarch.rpm
nodejs-debugsource-16.16.0-3.module+el8.6.0+16248+76b0e185.x86_64.rpm
nodejs-nodemon-2.0.19-2.module+el8.6.0+16240+7ca51420.noarch.rpm
nodejs-nodemon-2.0.19-2.module+el8.6.0+16240+7ca51420.src.rpm
nodejs-packaging-25-1.module+el8.5.0+10992+fac5fe06.src.rpm
nodejs-devel-16.16.0-3.module+el8.6.0+16248+76b0e185.s390x.rpm
nodejs-full-i18n-16.16.0-3.module+el8.6.0+16248+76b0e185.s390x.rpm
nodejs-debugsource-16.16.0-3.module+el8.6.0+16248+76b0e185.s390x.rpm
npm-8.11.0-1.16.16.0.3.module+el8.6.0+16248+76b0e185.s390x.rpm
nodejs-debuginfo-16.16.0-3.module+el8.6.0+16248+76b0e185.s390x.rpm
nodejs-16.16.0-3.module+el8.6.0+16248+76b0e185.s390x.rpm
npm-8.11.0-1.16.16.0.3.module+el8.6.0+16248+76b0e185.aarch64.rpm
nodejs-16.16.0-3.module+el8.6.0+16248+76b0e185.aarch64.rpm
nodejs-debuginfo-16.16.0-3.module+el8.6.0+16248+76b0e185.aarch64.rpm
nodejs-debugsource-16.16.0-3.module+el8.6.0+16248+76b0e185.aarch64.rpm
nodejs-full-i18n-16.16.0-3.module+el8.6.0+16248+76b0e185.aarch64.rpm
nodejs-devel-16.16.0-3.module+el8.6.0+16248+76b0e185.aarch64.rpm
nodejs-full-i18n-16.16.0-3.module+el8.6.0+16248+76b0e185.ppc64le.rpm
nodejs-debuginfo-16.16.0-3.module+el8.6.0+16248+76b0e185.ppc64le.rpm
nodejs-devel-16.16.0-3.module+el8.6.0+16248+76b0e185.ppc64le.rpm
nodejs-16.16.0-3.module+el8.6.0+16248+76b0e185.ppc64le.rpm
npm-8.11.0-1.16.16.0.3.module+el8.6.0+16248+76b0e185.ppc64le.rpm
nodejs-debugsource-16.16.0-3.module+el8.6.0+16248+76b0e185.ppc64le.rpm

Fixes

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.