ELSA-2024-1444

Опубликовано: 21 мар. 2024

Источник: oracle-oval

Платформа: Oracle Linux 8

Описание

ELSA-2024-1444: nodejs:16 security update (IMPORTANT)

nodejs [1:16.20.2-4.0.1]

reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks Resolves: CVE-2024-22019

nodejs-nodemon nodejs-packaging [26-1]

nodejs.prov: find namespaced bundled dependencies
Apply https://src.fedoraproject.org/rpms/nodejs-packaging/c/e24e7df

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

Module nodejs:16 is enabled

nodejs

16.20.2-4.0.1.module+el8.9.0+90185+b2d3b544

nodejs-devel

16.20.2-4.0.1.module+el8.9.0+90185+b2d3b544

nodejs-docs

16.20.2-4.0.1.module+el8.9.0+90185+b2d3b544

nodejs-full-i18n

16.20.2-4.0.1.module+el8.9.0+90185+b2d3b544

nodejs-nodemon

3.0.1-1.module+el8.9.0+90185+b2d3b544

nodejs-packaging

26-1.module+el8.9.0+90185+b2d3b544

npm

8.19.4-1.16.20.2.4.0.1.module+el8.9.0+90185+b2d3b544

Oracle Linux x86_64

Module nodejs:16 is enabled

nodejs

16.20.2-4.0.1.module+el8.9.0+90185+b2d3b544

nodejs-devel

16.20.2-4.0.1.module+el8.9.0+90185+b2d3b544

nodejs-docs

16.20.2-4.0.1.module+el8.9.0+90185+b2d3b544

nodejs-full-i18n

16.20.2-4.0.1.module+el8.9.0+90185+b2d3b544

nodejs-nodemon

3.0.1-1.module+el8.9.0+90185+b2d3b544

nodejs-packaging

26-1.module+el8.9.0+90185+b2d3b544

npm

8.19.4-1.16.20.2.4.0.1.module+el8.9.0+90185+b2d3b544

Связанные CVE

CVE-2023-44487

CVE-2024-22019

Ссылки на источники

Связанные уязвимости

CVE-2024-22019

CVSS3: 7.5

ubuntu

больше 1 года назад

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.