CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. CVE-2021-22884: DNS rebinding in --inspect Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd954a9d5171bdd9cc4544c5b0036a971f3302cd commit bd954a9d5171bdd9cc4544c5b0036a971f3302cd Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-02-25 09:26:08 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-02-25 11:06:32 +0000 net-libs/nodejs: bump subslot 12 to 12.21.0 Security release to address CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840. Bug: https://bugs.gentoo.org/772422 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-12.21.0.ebuild | 219 ++++++++++++++++++++++++++++++++++ 2 files changed, 220 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85b6504b813f6e317c60b28a7ed6206691f15611 commit 85b6504b813f6e317c60b28a7ed6206691f15611 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-02-25 09:24:56 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-02-25 11:06:29 +0000 net-libs/nodejs: bump subslot 14 to 14.16.0 Security release to address CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840. Bug: https://bugs.gentoo.org/772422 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-14.16.0.ebuild | 208 ++++++++++++++++++++++++++++++++++ 2 files changed, 209 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f73c71f23e3eec5773ec61a319a85d5f0613ec0 commit 9f73c71f23e3eec5773ec61a319a85d5f0613ec0 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-02-25 09:22:20 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-02-25 11:06:25 +0000 net-libs/nodejs: bump subslot 15 to 15.10.0 Security release to address CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840. Bug: https://bugs.gentoo.org/772422 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 2 +- net-libs/nodejs/{nodejs-15.8.0.ebuild => nodejs-15.10.0.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)
x86 done
ppc64 done
amd64 stable
arm done
arm64 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=341f607876db1d0a2088965590092f4ec2767589 commit 341f607876db1d0a2088965590092f4ec2767589 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-02-28 20:43:54 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-02-28 20:43:54 +0000 net-libs/nodejs: remove old No versions vulnerable to CVE-2021-22883, CVE-2021-22884 or CVE-2021-23840 left in the tree. Bug: https://bugs.gentoo.org/772422 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 2 - net-libs/nodejs/nodejs-12.20.1.ebuild | 219 ---------------------------------- net-libs/nodejs/nodejs-14.15.4.ebuild | 208 -------------------------------- 3 files changed, 429 deletions(-)
GLSA request filed.
Package list is empty or all packages have requested keywords.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=88bffd0cf8491b108b57ac229b72f8b472c31ed1 commit 88bffd0cf8491b108b57ac229b72f8b472c31ed1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-08 11:16:15 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-08 11:16:37 +0000 [ GLSA 202405-29 ] Node.js: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/772422 Bug: https://bugs.gentoo.org/781704 Bug: https://bugs.gentoo.org/800986 Bug: https://bugs.gentoo.org/805053 Bug: https://bugs.gentoo.org/807775 Bug: https://bugs.gentoo.org/811273 Bug: https://bugs.gentoo.org/817938 Bug: https://bugs.gentoo.org/831037 Bug: https://bugs.gentoo.org/835615 Bug: https://bugs.gentoo.org/857111 Bug: https://bugs.gentoo.org/865627 Bug: https://bugs.gentoo.org/872692 Bug: https://bugs.gentoo.org/879617 Bug: https://bugs.gentoo.org/918086 Bug: https://bugs.gentoo.org/918614 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-29.xml | 121 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+)
