928532 – (CVE-2024-27982, CVE-2024-27983) <net-libs/nodejs-{18.20.1,20.12.1}: multiple vulnerabilities

Bug 928532 (CVE-2024-27982, CVE-2024-27983) - <net-libs/nodejs-{18.20.1,20.12.1}: multiple vulnerabilities

Summary: <net-libs/nodejs-{18.20.1,20.12.1}: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2024-27982, CVE-2024-27983

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://nodejs.org/en/blog/vulnerabil...
Whiteboard:	A3 [stable]
Keywords:	PullRequest

Depends on:	930080
Blocks:	VU#421644
	Show dependency tree

Reported:	2024-04-03 20:11 UTC by Christopher Fore
Modified:	2024-04-19 06:42 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/36216
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2024-04-03 20:11:46 UTC

CVE-2024-27982:

The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.


CVE-2024-27983:

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.



The above are fixed in 18.20.1, 20.12.1, and 21.7.2 and have the following dependency bumps to address the vulnerabilities:
- llhttp 9.2.1 on 21.x, 20.x, and 18.x
- undici 6.11.1 on 21.x
- undici 5.28.4 on 18.x and 20.x

Comment 1 Larry the Git Cow gentoo-dev

2024-04-15 19:56:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64852fd321932254798c4819b964236fa6c92107

commit 64852fd321932254798c4819b964236fa6c92107
Author:     Matoro Mahri <matoro_gentoo@matoro.tk>
AuthorDate: 2024-04-11 22:11:59 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2024-04-15 19:55:55 +0000

    net-libs/nodejs: add 20.12.1
    
    Bug: https://bugs.gentoo.org/928532
    Closes: https://github.com/gentoo/gentoo/pull/36216
    
    Signed-off-by: Matoro Mahri <matoro_gentoo@matoro.tk>
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   1 +
 net-libs/nodejs/nodejs-20.12.1.ebuild | 265 ++++++++++++++++++++++++++++++++++
 2 files changed, 266 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a42c75e62d57879dc3b9f4ad9271ebe47b13dcff

commit a42c75e62d57879dc3b9f4ad9271ebe47b13dcff
Author:     Matoro Mahri <matoro_gentoo@matoro.tk>
AuthorDate: 2024-04-11 22:06:47 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2024-04-15 19:55:43 +0000

    net-libs/nodejs: add 18.20.1
    
    Bug: https://bugs.gentoo.org/928532
    Closes: https://github.com/gentoo/gentoo/pull/36216
    
    Signed-off-by: Matoro Mahri <matoro_gentoo@matoro.tk>
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   1 +
 net-libs/nodejs/nodejs-18.20.1.ebuild | 259 ++++++++++++++++++++++++++++++++++
 2 files changed, 260 insertions(+)