Home Explore Help
Sign In
PUBLIC_REPOS
/
buildroot
mirror of git://git.buildroot.net/buildroot
2
1
Fork 0
Files
Browse Source

package/nodejs: security bump to version 14.18.3

Fixes the following security issues:

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is
specifically defined to use a particular SAN type, can result in bypassing
name-constrained intermediates.  Node.js was accepting URI SAN types, which
PKIs are often not defined to use.  Additionally, when a protocol allows URI
SANs, Node.js did not match the URI correctly.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format.  It
uses this string to check peer certificates against hostnames when
validating connections.  The string format was subject to an injection
vulnerability when name constraints were used within a certificate chain,
allowing the bypass of these name constraints.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly.
Attackers could craft certificate subjects containing a single-value
Relative Distinguished Name that would be interpreted as a multi-value
Relative Distinguished Name, for example, in order to inject a Common Name
that would allow bypassing the certificate subject verification.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe
to allow user controlled input to be passed to the properties parameter
while simultaneously passing a plain object with at least one property as
the first parameter, which could be __proto__.  The prototype pollution has
very limited control, in that it only allows an empty string to be assigned
numerical keys of the object prototype.

For details, see the advisory:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard 3 years ago
parent
6e4791b751
commit
9096036f00
2 changed files with 3 additions and 3 deletions
Split View Show Diff Stats
  1. 2 2
      package/nodejs/nodejs.hash
  2. 1 1
      package/nodejs/nodejs.mk

+ 2 - 2
package/nodejs/nodejs.hash
View File 

@@ -1,5 +1,5 @@
 
-# From https://nodejs.org/dist/v14.18.2/SHASUMS256.txt
 
-sha256  3e8a9ce10f8bcd3628eb6dd049f7f03c84ba9219be6f9743e2221154b9cc680b  node-v14.18.2.tar.xz
 
+# From https://nodejs.org/dist/v14.18.3/SHASUMS256.txt
 
+sha256  783ac443cd343dd6c68d2abcf7e59e7b978a6a428f6a6025f9b84918b769d608  node-v14.18.3.tar.xz
 
 
 # Hash for license file
 
 sha256  b3a67885b5a6ac35e8bbe8190509e41b79b0d9a2e3fbd47186f2ac4727f63be5  LICENSE

+ 1 - 1
package/nodejs/nodejs.mk
View File 

@@ -4,7 +4,7 @@
 
 #
 
 ################################################################################
 
 
-NODEJS_VERSION = 14.18.2
 
+NODEJS_VERSION = 14.18.3
 
 NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz
 
 NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION)
 
 NODEJS_DEPENDENCIES = host-qemu host-python3 host-nodejs c-ares \