[Buildroot] [PATCH] package/nodejs: security bump to version 14.18.3

Peter Korsgaard peter at korsgaard.com
Fri Jan 28 17:03:26 UTC 2022 

>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

 > Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is
 > specifically defined to use a particular SAN type, can result in bypassing
 > name-constrained intermediates.  Node.js was accepting URI SAN types, which
 > PKIs are often not defined to use.  Additionally, when a protocol allows URI
 > SANs, Node.js did not match the URI correctly.

 > Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

 > Node.js converts SANs (Subject Alternative Names) to a string format.  It
 > uses this string to check peer certificates against hostnames when
 > validating connections.  The string format was subject to an injection
 > vulnerability when name constraints were used within a certificate chain,
 > allowing the bypass of these name constraints.

 > Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

 > Node.js did not handle multi-value Relative Distinguished Names correctly.
 > Attackers could craft certificate subjects containing a single-value
 > Relative Distinguished Name that would be interpreted as a multi-value
 > Relative Distinguished Name, for example, in order to inject a Common Name
 > that would allow bypassing the certificate subject verification.

 > Prototype pollution via console.table properties (Low)(CVE-2022-21824)

 > Due to the formatting logic of the console.table() function it was not safe
 > to allow user controlled input to be passed to the properties parameter
 > while simultaneously passing a plain object with at least one property as
 > the first parameter, which could be __proto__.  The prototype pollution has
 > very limited control, in that it only allows an empty string to be assigned
 > numerical keys of the object prototype.

 > For details, see the advisory:
 > https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2021.11.x, thanks.

For 2021.02.x I will instead bump to 12.22.9 which contains the same
fixes.

-- 
Bye, Peter Korsgaard

More information about the buildroot mailing list