An update for nodejs is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2174 Final 1.0 1.0 2024-09-27 Initial 2024-09-27 2024-09-27 openEuler SA Tool V1.0 2024-09-27 nodejs security update An update for nodejs is now available for openEuler-24.03-LTS Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser. Security Fix(es): The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.(CVE-2024-27982) An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.(CVE-2024-27983) Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. (CVE-2024-30260) Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.(CVE-2024-30261) An update for nodejs is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High nodejs https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2174 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-27982 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-27983 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-30260 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-30261 https://nvd.nist.gov/vuln/detail/CVE-2024-27982 https://nvd.nist.gov/vuln/detail/CVE-2024-27983 https://nvd.nist.gov/vuln/detail/CVE-2024-30260 https://nvd.nist.gov/vuln/detail/CVE-2024-30261 openEuler-24.03-LTS nodejs-20.12.1-1.oe2403.aarch64.rpm nodejs-debuginfo-20.12.1-1.oe2403.aarch64.rpm nodejs-debugsource-20.12.1-1.oe2403.aarch64.rpm nodejs-devel-20.12.1-1.oe2403.aarch64.rpm nodejs-full-i18n-20.12.1-1.oe2403.aarch64.rpm nodejs-libs-20.12.1-1.oe2403.aarch64.rpm npm-10.5.0-1.20.12.1.1.oe2403.aarch64.rpm v8-devel-11.3.244.8-1.20.12.1.1.oe2403.aarch64.rpm nodejs-20.12.1-1.oe2403.src.rpm nodejs-20.12.1-1.oe2403.x86_64.rpm nodejs-debuginfo-20.12.1-1.oe2403.x86_64.rpm nodejs-debugsource-20.12.1-1.oe2403.x86_64.rpm nodejs-devel-20.12.1-1.oe2403.x86_64.rpm nodejs-full-i18n-20.12.1-1.oe2403.x86_64.rpm nodejs-libs-20.12.1-1.oe2403.x86_64.rpm npm-10.5.0-1.20.12.1.1.oe2403.x86_64.rpm v8-devel-11.3.244.8-1.20.12.1.1.oe2403.x86_64.rpm nodejs-docs-20.12.1-1.oe2403.noarch.rpm The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. 2024-09-27 CVE-2024-27982 openEuler-24.03-LTS Medium 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L nodejs security update 2024-09-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2174 An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. 2024-09-27 CVE-2024-27983 openEuler-24.03-LTS High 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H nodejs security update 2024-09-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2174 Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. 2024-09-27 CVE-2024-30260 openEuler-24.03-LTS Low 3.9 AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L nodejs security update 2024-09-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2174 Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. 2024-09-27 CVE-2024-30261 openEuler-24.03-LTS Low 2.6 AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N nodejs security update 2024-09-27 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2174