Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 772422 (CVE-2021-22883, CVE-2021-22884) - <net-libs/nodejs-{12.21.0, 14.16.0}: Multiple vulnerabilities (CVE-2021-{22883,22884})
Summary: <net-libs/nodejs-{12.21.0, 14.16.0}: Multiple vulnerabilities (CVE-2021-{2288...
Status: IN_PROGRESS
Alias: CVE-2021-22883, CVE-2021-22884
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-24 19:08 UTC by Sam James
Modified: 2021-08-16 12:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-02-24 19:08:00 UTC
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-25 11:06:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd954a9d5171bdd9cc4544c5b0036a971f3302cd

commit bd954a9d5171bdd9cc4544c5b0036a971f3302cd
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-02-25 09:26:08 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-02-25 11:06:32 +0000

    net-libs/nodejs: bump subslot 12 to 12.21.0
    
    Security release to address CVE-2021-22883, CVE-2021-22884, and
    CVE-2021-23840.
    
    Bug: https://bugs.gentoo.org/772422
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest              |   1 +
 net-libs/nodejs/nodejs-12.21.0.ebuild | 219 ++++++++++++++++++++++++++++++++++
 2 files changed, 220 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85b6504b813f6e317c60b28a7ed6206691f15611

commit 85b6504b813f6e317c60b28a7ed6206691f15611
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-02-25 09:24:56 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-02-25 11:06:29 +0000

    net-libs/nodejs: bump subslot 14 to 14.16.0
    
    Security release to address CVE-2021-22883, CVE-2021-22884, and
    CVE-2021-23840.
    
    Bug: https://bugs.gentoo.org/772422
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest              |   1 +
 net-libs/nodejs/nodejs-14.16.0.ebuild | 208 ++++++++++++++++++++++++++++++++++
 2 files changed, 209 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f73c71f23e3eec5773ec61a319a85d5f0613ec0

commit 9f73c71f23e3eec5773ec61a319a85d5f0613ec0
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-02-25 09:22:20 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-02-25 11:06:25 +0000

    net-libs/nodejs: bump subslot 15 to 15.10.0
    
    Security release to address CVE-2021-22883, CVE-2021-22884, and
    CVE-2021-23840.
    
    Bug: https://bugs.gentoo.org/772422
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest                                        | 2 +-
 net-libs/nodejs/{nodejs-15.8.0.ebuild => nodejs-15.10.0.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 Sam James archtester gentoo-dev Security 2021-02-25 13:15:34 UTC
x86 done
Comment 3 Sam James archtester gentoo-dev Security 2021-02-25 15:45:29 UTC
ppc64 done
Comment 4 Agostino Sarubbo gentoo-dev 2021-02-26 14:06:35 UTC
amd64 stable
Comment 5 Sam James archtester gentoo-dev Security 2021-02-26 19:03:46 UTC
arm done
Comment 6 Sam James archtester gentoo-dev Security 2021-02-26 22:03:15 UTC
arm64 done

all arches done
Comment 7 Sam James archtester gentoo-dev Security 2021-02-26 22:05:38 UTC
Please cleanup, thanks!
Comment 8 Larry the Git Cow gentoo-dev 2021-02-28 20:44:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=341f607876db1d0a2088965590092f4ec2767589

commit 341f607876db1d0a2088965590092f4ec2767589
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-02-28 20:43:54 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-02-28 20:43:54 +0000

    net-libs/nodejs: remove old
    
    No versions vulnerable to CVE-2021-22883, CVE-2021-22884 or
    CVE-2021-23840 left in the tree.
    
    Bug: https://bugs.gentoo.org/772422
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest              |   2 -
 net-libs/nodejs/nodejs-12.20.1.ebuild | 219 ----------------------------------
 net-libs/nodejs/nodejs-14.15.4.ebuild | 208 --------------------------------
 3 files changed, 429 deletions(-)
Comment 9 John Helmert III gentoo-dev Security 2021-07-11 03:07:53 UTC
GLSA request filed.
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:23:52 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:32:17 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:40:10 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:48:21 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 18:04:17 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 18:12:35 UTC
Package list is empty or all packages have requested keywords.