Mageia alert MGASA-2021-0069 (nodejs)

From:
             
 
Mageia Updates <buildsystem-daemon@mageia.org>
To:
             
 
updates-announce@ml.mageia.org
Subject:
             
 
[updates-announce] MGASA-2021-0069: Updated nodejs packages fix security vulnerabilities
Date:
             
 
Fri, 05 Feb 2021 12:56:03 +0100
Message-ID:
             
 
<20210205115603.586A79F736@duvel.mageia.org>
Archive-link:
             
 
Article
MGASA-2021-0069 - Updated nodejs packages fix security vulnerabilities

Publication date: 05 Feb 2021
URL: https://advisories.mageia.org/MGASA-2021-0069.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-8265,
     CVE-2020-8287

Description:
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a
use-after-free bug in its TLS implementation. When writing to a TLS enabled
socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method does not
return an error, this object is passed back to the caller as part of a
StreamWriteResult structure. This may be exploited to corrupt memory leading
to a Denial of Service or potentially other exploits. (CVE-2020-8265).

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of
a header field in an HTTP request (for example, two Transfer-Encoding header
fields). In this case, Node.js identifies the first header field and ignores
the second. This can lead to HTTP Request Smuggling. (CVE-2020-8287).

References:
- https://bugs.mageia.org/show_bug.cgi?id=28015
- https://nodejs.org/en/blog/vulnerability/january-2021-sec...
- https://nodejs.org/en/blog/release/v10.23.1/
- https://www.debian.org/security/2021/dsa-4826
-
https://lists.fedoraproject.org/archives/list/package-ann...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8265
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8287

SRPMS:
- 7/core/nodejs-10.23.1-10.mga7