* [Buildroot] [PATCH] package/nodejs: security bump to version 14.18.3
@ 2022-01-14 10:38 Peter Korsgaard
2022-01-17 21:37 ` Yann E. MORIN
2022-01-28 17:03 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-01-14 10:38 UTC (permalink / raw)
To: buildroot; +Cc: Daniel Price, Martin Bark
Fixes the following security issues:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is
specifically defined to use a particular SAN type, can result in bypassing
name-constrained intermediates. Node.js was accepting URI SAN types, which
PKIs are often not defined to use. Additionally, when a protocol allows URI
SANs, Node.js did not match the URI correctly.
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Node.js converts SANs (Subject Alternative Names) to a string format. It
uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate chain,
allowing the bypass of these name constraints.
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Node.js did not handle multi-value Relative Distinguished Names correctly.
Attackers could craft certificate subjects containing a single-value
Relative Distinguished Name that would be interpreted as a multi-value
Relative Distinguished Name, for example, in order to inject a Common Name
that would allow bypassing the certificate subject verification.
Prototype pollution via console.table properties (Low)(CVE-2022-21824)
Due to the formatting logic of the console.table() function it was not safe
to allow user controlled input to be passed to the properties parameter
while simultaneously passing a plain object with at least one property as
the first parameter, which could be __proto__. The prototype pollution has
very limited control, in that it only allows an empty string to be assigned
numerical keys of the object prototype.
For details, see the advisory:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/nodejs/nodejs.hash | 4 ++--
package/nodejs/nodejs.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
index f330757341..6365ef852b 100644
--- a/package/nodejs/nodejs.hash
+++ b/package/nodejs/nodejs.hash
@@ -1,5 +1,5 @@
-# From https://nodejs.org/dist/v14.18.2/SHASUMS256.txt
-sha256 3e8a9ce10f8bcd3628eb6dd049f7f03c84ba9219be6f9743e2221154b9cc680b node-v14.18.2.tar.xz
+# From https://nodejs.org/dist/v14.18.3/SHASUMS256.txt
+sha256 783ac443cd343dd6c68d2abcf7e59e7b978a6a428f6a6025f9b84918b769d608 node-v14.18.3.tar.xz
# Hash for license file
sha256 b3a67885b5a6ac35e8bbe8190509e41b79b0d9a2e3fbd47186f2ac4727f63be5 LICENSE
diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
index 7d5c93eb93..727af6dc50 100644
--- a/package/nodejs/nodejs.mk
+++ b/package/nodejs/nodejs.mk
@@ -4,7 +4,7 @@
#
################################################################################
-NODEJS_VERSION = 14.18.2
+NODEJS_VERSION = 14.18.3
NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz
NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION)
NODEJS_DEPENDENCIES = host-qemu host-python3 host-nodejs c-ares \
--
2.20.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/nodejs: security bump to version 14.18.3
2022-01-14 10:38 [Buildroot] [PATCH] package/nodejs: security bump to version 14.18.3 Peter Korsgaard
@ 2022-01-17 21:37 ` Yann E. MORIN
2022-01-28 17:03 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2022-01-17 21:37 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Martin Bark, Daniel Price, buildroot
Peter, All,
On 2022-01-14 11:38 +0100, Peter Korsgaard spake thusly:
> Fixes the following security issues:
[--SNIP--]
> For details, see the advisory:
> https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
It was also reported on IRC that this should also fix some build issue
with python 3.10.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/nodejs/nodejs.hash | 4 ++--
> package/nodejs/nodejs.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
> index f330757341..6365ef852b 100644
> --- a/package/nodejs/nodejs.hash
> +++ b/package/nodejs/nodejs.hash
> @@ -1,5 +1,5 @@
> -# From https://nodejs.org/dist/v14.18.2/SHASUMS256.txt
> -sha256 3e8a9ce10f8bcd3628eb6dd049f7f03c84ba9219be6f9743e2221154b9cc680b node-v14.18.2.tar.xz
> +# From https://nodejs.org/dist/v14.18.3/SHASUMS256.txt
> +sha256 783ac443cd343dd6c68d2abcf7e59e7b978a6a428f6a6025f9b84918b769d608 node-v14.18.3.tar.xz
>
> # Hash for license file
> sha256 b3a67885b5a6ac35e8bbe8190509e41b79b0d9a2e3fbd47186f2ac4727f63be5 LICENSE
> diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
> index 7d5c93eb93..727af6dc50 100644
> --- a/package/nodejs/nodejs.mk
> +++ b/package/nodejs/nodejs.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -NODEJS_VERSION = 14.18.2
> +NODEJS_VERSION = 14.18.3
> NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz
> NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION)
> NODEJS_DEPENDENCIES = host-qemu host-python3 host-nodejs c-ares \
> --
> 2.20.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/nodejs: security bump to version 14.18.3
2022-01-14 10:38 [Buildroot] [PATCH] package/nodejs: security bump to version 14.18.3 Peter Korsgaard
2022-01-17 21:37 ` Yann E. MORIN
@ 2022-01-28 17:03 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2022-01-28 17:03 UTC (permalink / raw)
To: buildroot; +Cc: Daniel Price, Martin Bark
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
> Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is
> specifically defined to use a particular SAN type, can result in bypassing
> name-constrained intermediates. Node.js was accepting URI SAN types, which
> PKIs are often not defined to use. Additionally, when a protocol allows URI
> SANs, Node.js did not match the URI correctly.
> Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
> Node.js converts SANs (Subject Alternative Names) to a string format. It
> uses this string to check peer certificates against hostnames when
> validating connections. The string format was subject to an injection
> vulnerability when name constraints were used within a certificate chain,
> allowing the bypass of these name constraints.
> Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
> Node.js did not handle multi-value Relative Distinguished Names correctly.
> Attackers could craft certificate subjects containing a single-value
> Relative Distinguished Name that would be interpreted as a multi-value
> Relative Distinguished Name, for example, in order to inject a Common Name
> that would allow bypassing the certificate subject verification.
> Prototype pollution via console.table properties (Low)(CVE-2022-21824)
> Due to the formatting logic of the console.table() function it was not safe
> to allow user controlled input to be passed to the properties parameter
> while simultaneously passing a plain object with at least one property as
> the first parameter, which could be __proto__. The prototype pollution has
> very limited control, in that it only allows an empty string to be assigned
> numerical keys of the object prototype.
> For details, see the advisory:
> https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2021.11.x, thanks.
For 2021.02.x I will instead bump to 12.22.9 which contains the same
fixes.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-01-28 17:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-14 10:38 [Buildroot] [PATCH] package/nodejs: security bump to version 14.18.3 Peter Korsgaard
2022-01-17 21:37 ` Yann E. MORIN
2022-01-28 17:03 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox