From 9096036f00c5a0f37e3b3916417f0d0b166b73e8 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Fri, 14 Jan 2022 11:38:24 +0100 Subject: [PATCH] package/nodejs: security bump to version 14.18.3 Fixes the following security issues: Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532) Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533) Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification. Prototype pollution via console.table properties (Low)(CVE-2022-21824) Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype. For details, see the advisory: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/ Signed-off-by: Peter Korsgaard Signed-off-by: Yann E. MORIN --- package/nodejs/nodejs.hash | 4 ++-- package/nodejs/nodejs.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash index f330757341..6365ef852b 100644 --- a/package/nodejs/nodejs.hash +++ b/package/nodejs/nodejs.hash @@ -1,5 +1,5 @@ -# From https://nodejs.org/dist/v14.18.2/SHASUMS256.txt -sha256 3e8a9ce10f8bcd3628eb6dd049f7f03c84ba9219be6f9743e2221154b9cc680b node-v14.18.2.tar.xz +# From https://nodejs.org/dist/v14.18.3/SHASUMS256.txt +sha256 783ac443cd343dd6c68d2abcf7e59e7b978a6a428f6a6025f9b84918b769d608 node-v14.18.3.tar.xz # Hash for license file sha256 b3a67885b5a6ac35e8bbe8190509e41b79b0d9a2e3fbd47186f2ac4727f63be5 LICENSE diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk index 7d5c93eb93..727af6dc50 100644 --- a/package/nodejs/nodejs.mk +++ b/package/nodejs/nodejs.mk @@ -4,7 +4,7 @@ # ################################################################################ -NODEJS_VERSION = 14.18.2 +NODEJS_VERSION = 14.18.3 NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION) NODEJS_DEPENDENCIES = host-qemu host-python3 host-nodejs c-ares \