CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. CVE-2021-22884: DNS rebinding in --inspect Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd954a9d5171bdd9cc4544c5b0036a971f3302cd commit bd954a9d5171bdd9cc4544c5b0036a971f3302cd Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-02-25 09:26:08 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-02-25 11:06:32 +0000 net-libs/nodejs: bump subslot 12 to 12.21.0 Security release to address CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840. Bug: https://bugs.gentoo.org/772422 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-12.21.0.ebuild | 219 ++++++++++++++++++++++++++++++++++ 2 files changed, 220 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85b6504b813f6e317c60b28a7ed6206691f15611 commit 85b6504b813f6e317c60b28a7ed6206691f15611 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-02-25 09:24:56 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-02-25 11:06:29 +0000 net-libs/nodejs: bump subslot 14 to 14.16.0 Security release to address CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840. Bug: https://bugs.gentoo.org/772422 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-14.16.0.ebuild | 208 ++++++++++++++++++++++++++++++++++ 2 files changed, 209 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f73c71f23e3eec5773ec61a319a85d5f0613ec0 commit 9f73c71f23e3eec5773ec61a319a85d5f0613ec0 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-02-25 09:22:20 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-02-25 11:06:25 +0000 net-libs/nodejs: bump subslot 15 to 15.10.0 Security release to address CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840. Bug: https://bugs.gentoo.org/772422 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 2 +- net-libs/nodejs/{nodejs-15.8.0.ebuild => nodejs-15.10.0.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)
x86 done
ppc64 done
amd64 stable
arm done
arm64 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=341f607876db1d0a2088965590092f4ec2767589 commit 341f607876db1d0a2088965590092f4ec2767589 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-02-28 20:43:54 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-02-28 20:43:54 +0000 net-libs/nodejs: remove old No versions vulnerable to CVE-2021-22883, CVE-2021-22884 or CVE-2021-23840 left in the tree. Bug: https://bugs.gentoo.org/772422 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 2 - net-libs/nodejs/nodejs-12.20.1.ebuild | 219 ---------------------------------- net-libs/nodejs/nodejs-14.15.4.ebuild | 208 -------------------------------- 3 files changed, 429 deletions(-)
GLSA request filed.
Package list is empty or all packages have requested keywords.
