Issued:: 2024-05-15
Updated:: 2024-05-15

RHSA-2024:2853 - Important: nodejs:20 security update

Synopsis

Important: nodejs:20 security update

Type/Severity

Security Advisory Important

Topic

An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

c-ares: Out of bounds read in ares__read_line() (CVE-2024-25629)
nghttp2: CONTINUATION frames DoS (CVE-2024-28182)
nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service (CVE-2024-22025)
nodejs: CONTINUATION frames DoS (CVE-2024-27983)
nodejs: HTTP Request Smuggling via Content Length Obfuscation (CVE-2024-27982)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Product	Version	Arch
Red Hat Enterprise Linux for x86_64	9	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	9.6	x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions	9.4	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	9.6	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support	9.4	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle	9.6	x86_64
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle	9.4	x86_64
Red Hat Enterprise Linux for Power, little endian	9	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	9.6	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support	9.4	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle	9.6	ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle	9.4	ppc64le
Red Hat Enterprise Linux for IBM z Systems	9	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	9.6	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support	9.4	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle	9.6	s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle	9.4	s390x
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates	9.6	s390x
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates	9.4	s390x
Red Hat Enterprise Linux for ARM 64	9	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support	9.6	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support	9.4	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle	9.6	aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle	9.4	aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates	9.6	aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates	9.4	aarch64
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	9.6	ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions	9.4	ppc64le
Red Hat Enterprise Linux Server - AUS	9.6	x86_64
Red Hat Enterprise Linux Server - AUS	9.4	x86_64

Updated Packages

nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.src.rpm
nodejs-packaging-bundler-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm
npm-10.5.0-1.20.12.2.2.module+el9.4.0+21731+46b5b8a7.aarch64.rpm
nodejs-20.12.2-2.module+el9.4.0+21731+46b5b8a7.src.rpm
nodejs-debuginfo-20.12.2-2.module+el9.4.0+21731+46b5b8a7.aarch64.rpm
nodejs-debugsource-20.12.2-2.module+el9.4.0+21731+46b5b8a7.aarch64.rpm
nodejs-devel-20.12.2-2.module+el9.4.0+21731+46b5b8a7.aarch64.rpm
nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.src.rpm
nodejs-packaging-2021.06-4.module+el9.3.0+19518+63aad52d.noarch.rpm
nodejs-full-i18n-20.12.2-2.module+el9.4.0+21731+46b5b8a7.aarch64.rpm
nodejs-docs-20.12.2-2.module+el9.4.0+21731+46b5b8a7.noarch.rpm
nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.noarch.rpm
nodejs-20.12.2-2.module+el9.4.0+21731+46b5b8a7.aarch64.rpm
nodejs-full-i18n-20.12.2-2.module+el9.4.0+21731+46b5b8a7.ppc64le.rpm
npm-10.5.0-1.20.12.2.2.module+el9.4.0+21731+46b5b8a7.ppc64le.rpm
nodejs-debugsource-20.12.2-2.module+el9.4.0+21731+46b5b8a7.ppc64le.rpm
nodejs-20.12.2-2.module+el9.4.0+21731+46b5b8a7.ppc64le.rpm
nodejs-devel-20.12.2-2.module+el9.4.0+21731+46b5b8a7.ppc64le.rpm
nodejs-debuginfo-20.12.2-2.module+el9.4.0+21731+46b5b8a7.ppc64le.rpm
nodejs-debugsource-20.12.2-2.module+el9.4.0+21731+46b5b8a7.x86_64.rpm
nodejs-debuginfo-20.12.2-2.module+el9.4.0+21731+46b5b8a7.x86_64.rpm
nodejs-20.12.2-2.module+el9.4.0+21731+46b5b8a7.x86_64.rpm
nodejs-full-i18n-20.12.2-2.module+el9.4.0+21731+46b5b8a7.x86_64.rpm
npm-10.5.0-1.20.12.2.2.module+el9.4.0+21731+46b5b8a7.x86_64.rpm
nodejs-devel-20.12.2-2.module+el9.4.0+21731+46b5b8a7.x86_64.rpm
npm-10.5.0-1.20.12.2.2.module+el9.4.0+21731+46b5b8a7.s390x.rpm
nodejs-full-i18n-20.12.2-2.module+el9.4.0+21731+46b5b8a7.s390x.rpm
nodejs-devel-20.12.2-2.module+el9.4.0+21731+46b5b8a7.s390x.rpm
nodejs-debuginfo-20.12.2-2.module+el9.4.0+21731+46b5b8a7.s390x.rpm
nodejs-20.12.2-2.module+el9.4.0+21731+46b5b8a7.s390x.rpm
nodejs-debugsource-20.12.2-2.module+el9.4.0+21731+46b5b8a7.s390x.rpm

Fixes

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.