-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security update Advisory ID: RHSA-2022:0041-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2022:0041 Issue date: 2022-01-06 CVE Names: CVE-2021-3807 CVE-2021-3918 CVE-2021-22959 CVE-2021-22960 CVE-2021-37701 CVE-2021-37712 ==================================================================== 1. Summary: An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: rh-nodejs14-nodejs (14.18.2). (BZ#2031766) Security Fix(es): * nodejs-json-schema: Prototype pollution vulnerability (CVE-2021-3918) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37701) * nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite (CVE-2021-37712) * llhttp: HTTP Request Smuggling due to spaces in headers (CVE-2021-22959) * llhttp: HTTP Request Smuggling when parsing the body of chunked requests (CVE-2021-22960) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1999731 - CVE-2021-37701 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite 1999739 - CVE-2021-37712 nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2014057 - CVE-2021-22959 llhttp: HTTP Request Smuggling due to spaces in headers 2014059 - CVE-2021-22960 llhttp: HTTP Request Smuggling when parsing the body of chunked requests 2024702 - CVE-2021-3918 nodejs-json-schema: Prototype pollution vulnerability 2031766 - rh-nodejs14-nodejs: Rebase to LTS version [rhscl-3.8.z] 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-nodejs14-nodejs-14.18.2-1.el7.src.rpm rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.src.rpm noarch: rh-nodejs14-nodejs-docs-14.18.2-1.el7.noarch.rpm rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.noarch.rpm ppc64le: rh-nodejs14-nodejs-14.18.2-1.el7.ppc64le.rpm rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.ppc64le.rpm rh-nodejs14-nodejs-devel-14.18.2-1.el7.ppc64le.rpm rh-nodejs14-npm-6.14.15-14.18.2.1.el7.ppc64le.rpm s390x: rh-nodejs14-nodejs-14.18.2-1.el7.s390x.rpm rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.s390x.rpm rh-nodejs14-nodejs-devel-14.18.2-1.el7.s390x.rpm rh-nodejs14-npm-6.14.15-14.18.2.1.el7.s390x.rpm x86_64: rh-nodejs14-nodejs-14.18.2-1.el7.x86_64.rpm rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.x86_64.rpm rh-nodejs14-nodejs-devel-14.18.2-1.el7.x86_64.rpm rh-nodejs14-npm-6.14.15-14.18.2.1.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-nodejs14-nodejs-14.18.2-1.el7.src.rpm rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.src.rpm noarch: rh-nodejs14-nodejs-docs-14.18.2-1.el7.noarch.rpm rh-nodejs14-nodejs-nodemon-2.0.3-6.el7.noarch.rpm x86_64: rh-nodejs14-nodejs-14.18.2-1.el7.x86_64.rpm rh-nodejs14-nodejs-debuginfo-14.18.2-1.el7.x86_64.rpm rh-nodejs14-nodejs-devel-14.18.2-1.el7.x86_64.rpm rh-nodejs14-npm-6.14.15-14.18.2.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-3918 https://access.redhat.com/security/cve/CVE-2021-22959 https://access.redhat.com/security/cve/CVE-2021-22960 https://access.redhat.com/security/cve/CVE-2021-37701 https://access.redhat.com/security/cve/CVE-2021-37712 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYddHYdzjgjWX9erEAQgTUA//bdEiz9z1yZIjUAGT8FyUD28Wp1YFc6ry PuK5cbam3V9XceRSZIeP9DVbdMtU5qv++6cyNc//M+AXEUGtag5muqK2gvte4Pw6 /nFGVoIO31jmqxDE74qOaRVgfFfAzO2Pzcxh9XlPRn5FnHpgc1kRzqX/n0sKo7Uy Y7e77WjVxp6jYEEcAyZXmv4xcGIf0+rcF5HaU38OVxqtu9w0/l7Z1JGBAcN1CNNi gavzqd6IaRw1+On9+HxlCZfuLUr1kfTzyuKZYIk5OhF4VlLIPjmOJHnBvQ/D0/XE ZSwjyYQN5peJCsB+o7STsTHSu4hQW7GqYRRkKqFjhxsW57ko2q8Te1c8tfhqKR1m ECr2heJ78q/7FKaUD9YW29ShFlrxQs78887W2YLJmxwq9/uuWFitLeeHkN0llG3D Ic2+D/qyWl56kCrCmyb9QrdQyi2hFyXll03rGWWZATEaabHqM3UFKFO9Bcmy64H9 MmoP+BEQcVWCA9M+vmDSRrEH4m2TpP8Zg8OXjx3Jap54Iubip50fuJYGTc++4bgB uOgiIzkFtkaYClhbe3j9xCZkSzsy9eFxnlEO5DvY33piYiNr0aLZgz5Klb40tG/X dK9XElrxrIlZo7fag1cIL1+H2u5PcKJ1AcgX9EkZrMKNCzeA7sm0pBm00I4sRRaV m993zmrUib4=INDF -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce