RLSA-2024:1688 --- nodejs-nodemonID: oval:org.secpod.oval:def:5800222 | Date: (C)2024-05-21 (M)2024-06-10 |
Class: PATCH | Family: unix |
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding * nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks * nodejs: code injection and privilege escalation through Linux capabilities * nodejs: path traversal by monkey-patching buffer internals * nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization * nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write * nodejs: setuid does not drop all privileges due to io_uring
Product: |
nodejs-nodemon |
nodejs-packaging |