Red Hat Security Advisory 2020-0579-01

Red Hat Security Advisory 2020-0579-01: Posted Feb 25, 2020; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2020-0579-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. HTTP request smuggling was addressed along with other security issues.; tags | advisory, web, javascript; systems | linux, redhat; advisories | CVE-2019-15604, CVE-2019-15605, CVE-2019-15606, CVE-2019-16775, CVE-2019-16776, CVE-2019-16777; SHA-256 | b886b0e95ead26013e0308ccf593a5a846e8731401ea54bdeeb098795796b513; Download | Favorite | View

Red Hat Security Advisory 2020-0579-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Important: nodejs:10 security update
Advisory ID:       RHSA-2020:0579-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:0579
Issue date:        2020-02-25
CVE Names:         CVE-2019-15604 CVE-2019-15605 CVE-2019-15606
                   CVE-2019-16775 CVE-2019-16776 CVE-2019-16777
====================================================================
1. Summary:

An update for the nodejs:10 module is now available for Red Hat Enterprise
Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The following packages have been upgraded to a later upstream version:
nodejs (10.19.0).

Security Fix(es):

* nodejs: HTTP request smuggling using malformed Transfer-Encoding header
(CVE-2019-15605)

* nodejs: Remotely trigger an assertion on a TLS server with a malformed
certificate string (CVE-2019-15604)

* nodejs: HTTP header values do not have trailing optional whitespace
trimmed (CVE-2019-15606)

* npm: Symlink reference outside of node_modules folder through the bin
field upon installation (CVE-2019-16775)

* npm: Arbitrary file write via constructed entry in the package.json bin
field (CVE-2019-16776)

* npm: Global node_modules Binary Overwrite (CVE-2019-16777)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1788301 - CVE-2019-16777 npm: Global node_modules Binary Overwrite
1788305 - CVE-2019-16775 npm: Symlink reference outside of node_modules folder through the bin field upon installation
1788310 - CVE-2019-16776 npm: Arbitrary file write via constructed entry in the package.json bin field
1800364 - CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encoding header
1800366 - CVE-2019-15606 nodejs: HTTP header values do not have trailing optional whitespace trimmed
1800367 - CVE-2019-15604 nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
nodejs-10.19.0-1.module+el8.1.0+5726+6ed65f8c.src.rpm
nodejs-nodemon-1.18.3-1.module+el8+2632+6c5111ed.src.rpm
nodejs-packaging-17-3.module+el8+2873+aa7dfd9a.src.rpm

aarch64:
nodejs-10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64.rpm
nodejs-debuginfo-10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64.rpm
nodejs-debugsource-10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64.rpm
nodejs-devel-10.19.0-1.module+el8.1.0+5726+6ed65f8c.aarch64.rpm
npm-6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.aarch64.rpm

noarch:
nodejs-docs-10.19.0-1.module+el8.1.0+5726+6ed65f8c.noarch.rpm
nodejs-nodemon-1.18.3-1.module+el8+2632+6c5111ed.noarch.rpm
nodejs-packaging-17-3.module+el8+2873+aa7dfd9a.noarch.rpm

ppc64le:
nodejs-10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le.rpm
nodejs-debuginfo-10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le.rpm
nodejs-debugsource-10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le.rpm
nodejs-devel-10.19.0-1.module+el8.1.0+5726+6ed65f8c.ppc64le.rpm
npm-6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.ppc64le.rpm

s390x:
nodejs-10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x.rpm
nodejs-debuginfo-10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x.rpm
nodejs-debugsource-10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x.rpm
nodejs-devel-10.19.0-1.module+el8.1.0+5726+6ed65f8c.s390x.rpm
npm-6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.s390x.rpm

x86_64:
nodejs-10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm
nodejs-debuginfo-10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm
nodejs-debugsource-10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm
nodejs-devel-10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm
nodejs-devel-debuginfo-10.19.0-1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm
npm-6.13.4-1.10.19.0.1.module+el8.1.0+5726+6ed65f8c.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-15604
https://access.redhat.com/security/cve/CVE-2019-15605
https://access.redhat.com/security/cve/CVE-2019-15606
https://access.redhat.com/security/cve/CVE-2019-16775
https://access.redhat.com/security/cve/CVE-2019-16776
https://access.redhat.com/security/cve/CVE-2019-16777
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXlTctNzjgjWX9erEAQhW5Q/+PbyGAX2XhjeaTw1ajkXPBEHMUzAE1bKo
JpvbNH6mRyGgcbunvwvGz8zxYOgjSeWkd5avmU7PeSBv7uNEWUgI7G/Tfvsfqrd6
oQlvNp4IHAWbA2Mm5ibEYrwqUWNi1c0pzN1mXy086SjNNySS2W1tp/2nLni5xOgI
WekC1Oh3OYsKYxigUhmHYy6sTG+SBNIptSSdvvhI1ONbDUKvs0fnE4VcrzYFPbG+
dZQWu40Axq0mzneoVYmMIFHWOCPWn5cGJ5BSf84O+597QKhWyK7wfeFwTacCfbhE
+iYr39lI4Hjl6nX/FDQlF5GXhI9yqS/y5NGnMqXRzyPtiqf8VDql5yJVm8guU9pk
LlDQCsdk2HxPdNodAk0UZATw6FTfhE/x0NuRNZs7+gz0C9kR2M4iULMaBw2CxClB
wygAXmOdcZoFiErjDfHq4Doajdr/kOKyrYQW38e40GaPLce6Zu5FUpbfOHyjfhIt
PPFrZTGriO4iM9PWnD3SDaBwu1sSt+IKbaSDEA7OtlZIDMHbE4/AcGk3+WnO5HG0
IfTzHifoqJnlFyCQFnokVFORUoFM5iNzFq3TyQzy78ipgtYn3jONqX9PnkyWPi4o
ASyOvHIPd5QekWIMY7DeK9rDgHIUOCcngoJ97Vx9HcsMO7Oiv/2FxURI/fIjPm+Q
KEoWWb7/hIk=EXnZ
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 236 files
Ubuntu 56 files
Debian 19 files
LiquidWorm 16 files
Apple 9 files
Gentoo 5 files
Alter Prime 3 files
Google Security Research 3 files
Pierre Kim 2 files
EQSTLab 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,945)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,337)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,987)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

Red Hat Security Advisory 2020-0579-01

Red Hat Security Advisory 2020-0579-01

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2020-0579-01

Share This

Red Hat Security Advisory 2020-0579-01

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems