Issued:: 2022-09-20
Updated:: 2022-09-20

RHSA-2022:6595 - Moderate: nodejs and nodejs-nodemon security and bug fix update

Synopsis

Moderate: nodejs and nodejs-nodemon security and bug fix update

Type/Severity

Security Advisory Moderate

Topic

An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version: nodejs (16.16.0), nodejs-nodemon (2.0.19). (BZ#2124230, BZ#2124233)

Security Fix(es):

nodejs-ini: Prototype pollution via malicious INI file (CVE-2020-7788)
nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469)
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807)
normalize-url: ReDoS for data URLs (CVE-2021-33502)
nodejs: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace (CVE-2022-29244)
nodejs: DNS rebinding in --inspect via invalid IP addresses (CVE-2022-32212)
nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding (CVE-2022-32213)
nodejs: HTTP request smuggling due to improper delimiting of header fields (CVE-2022-32214)
nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding (CVE-2022-32215)
got: missing verification of requested URLs allows redirects to UNIX sockets (CVE-2022-33987)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

nodejs:16/nodejs: Rebase to the latest Nodejs 16 release [rhel-9] (BZ#2121019)
nodejs: Specify --with-default-icu-data-dir when using bootstrap build (BZ#2124299)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Product	Version	Arch
Red Hat Enterprise Linux for x86_64	9	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	9.6	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	9.4	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	9.2	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	9.0	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	9.6	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	9.4	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	9.2	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	9.0	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle	9.6	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle	9.4	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle	9.2	x86_64
Red Hat Enterprise Linux for Power, little endian	9	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	9.6	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	9.4	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	9.2	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	9.0	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle	9.6	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle	9.4	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle	9.2	ppc64le
Red Hat Enterprise Linux for IBM z Systems	9	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	9.6	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	9.4	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	9.2	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	9.0	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle	9.6	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle	9.4	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle	9.2	s390x
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates	9.6	s390x
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates	9.4	s390x
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates	9.2	s390x
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates	9.0	s390x
Red Hat Enterprise Linux for ARM 64	9	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support	9.6	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support	9.4	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support	9.2	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support	9.0	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle	9.6	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle	9.4	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle	9.2	aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates	9.6	aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates	9.4	aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates	9.2	aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates	9.0	aarch64
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	9.6	ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	9.4	ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	9.2	ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	9.0	ppc64le
Red Hat Enterprise Linux Server - AUS	9.6	x86_64
Red Hat Enterprise Linux Server - AUS	9.4	x86_64
Red Hat Enterprise Linux Server - AUS	9.2	x86_64

Updated Packages

nodejs-debugsource-16.16.0-1.el9_0.x86_64.rpm
nodejs-libs-16.16.0-1.el9_0.ppc64le.rpm
nodejs-16.16.0-1.el9_0.src.rpm
nodejs-debugsource-16.16.0-1.el9_0.aarch64.rpm
nodejs-full-i18n-16.16.0-1.el9_0.ppc64le.rpm
nodejs-libs-debuginfo-16.16.0-1.el9_0.aarch64.rpm
nodejs-libs-debuginfo-16.16.0-1.el9_0.ppc64le.rpm
nodejs-16.16.0-1.el9_0.ppc64le.rpm
npm-8.11.0-1.16.16.0.1.el9_0.x86_64.rpm
nodejs-debugsource-16.16.0-1.el9_0.ppc64le.rpm
nodejs-nodemon-2.0.19-1.el9_0.noarch.rpm
nodejs-debugsource-16.16.0-1.el9_0.i686.rpm
nodejs-debuginfo-16.16.0-1.el9_0.x86_64.rpm
nodejs-libs-debuginfo-16.16.0-1.el9_0.x86_64.rpm
nodejs-libs-16.16.0-1.el9_0.aarch64.rpm
nodejs-libs-debuginfo-16.16.0-1.el9_0.i686.rpm
nodejs-debugsource-16.16.0-1.el9_0.s390x.rpm
nodejs-debuginfo-16.16.0-1.el9_0.ppc64le.rpm
npm-8.11.0-1.16.16.0.1.el9_0.s390x.rpm
nodejs-libs-16.16.0-1.el9_0.i686.rpm
nodejs-16.16.0-1.el9_0.aarch64.rpm
nodejs-libs-16.16.0-1.el9_0.s390x.rpm
nodejs-nodemon-2.0.19-1.el9_0.src.rpm
nodejs-debuginfo-16.16.0-1.el9_0.s390x.rpm
nodejs-full-i18n-16.16.0-1.el9_0.s390x.rpm
nodejs-libs-16.16.0-1.el9_0.x86_64.rpm
nodejs-full-i18n-16.16.0-1.el9_0.aarch64.rpm
npm-8.11.0-1.16.16.0.1.el9_0.aarch64.rpm
nodejs-16.16.0-1.el9_0.x86_64.rpm
nodejs-16.16.0-1.el9_0.s390x.rpm
npm-8.11.0-1.16.16.0.1.el9_0.ppc64le.rpm
nodejs-docs-16.16.0-1.el9_0.noarch.rpm
nodejs-full-i18n-16.16.0-1.el9_0.x86_64.rpm
nodejs-debuginfo-16.16.0-1.el9_0.aarch64.rpm
nodejs-debuginfo-16.16.0-1.el9_0.i686.rpm
nodejs-libs-debuginfo-16.16.0-1.el9_0.s390x.rpm

Fixes

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.