Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 928532 (CVE-2024-27982, CVE-2024-27983) - <net-libs/nodejs-{18.20.1,20.12.1}: multiple vulnerabilities
Summary: <net-libs/nodejs-{18.20.1,20.12.1}: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2024-27982, CVE-2024-27983
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: A3 [glsa?]
Keywords: PullRequest
Depends on: 930080
Blocks: VU#421644
  Show dependency tree
 
Reported: 2024-04-03 20:11 UTC by Christopher Fore
Modified: 2024-05-27 05:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-04-03 20:11:46 UTC
CVE-2024-27982:

The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.


CVE-2024-27983:

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.



The above are fixed in 18.20.1, 20.12.1, and 21.7.2 and have the following dependency bumps to address the vulnerabilities:
- llhttp 9.2.1 on 21.x, 20.x, and 18.x
- undici 6.11.1 on 21.x
- undici 5.28.4 on 18.x and 20.x
Comment 1 Larry the Git Cow gentoo-dev 2024-04-15 19:56:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64852fd321932254798c4819b964236fa6c92107

commit 64852fd321932254798c4819b964236fa6c92107
Author:     Matoro Mahri <matoro_gentoo@matoro.tk>
AuthorDate: 2024-04-11 22:11:59 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2024-04-15 19:55:55 +0000

    net-libs/nodejs: add 20.12.1
    
    Bug: https://bugs.gentoo.org/928532
    Closes: https://github.com/gentoo/gentoo/pull/36216
    
    Signed-off-by: Matoro Mahri <matoro_gentoo@matoro.tk>
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   1 +
 net-libs/nodejs/nodejs-20.12.1.ebuild | 265 ++++++++++++++++++++++++++++++++++
 2 files changed, 266 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a42c75e62d57879dc3b9f4ad9271ebe47b13dcff

commit a42c75e62d57879dc3b9f4ad9271ebe47b13dcff
Author:     Matoro Mahri <matoro_gentoo@matoro.tk>
AuthorDate: 2024-04-11 22:06:47 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2024-04-15 19:55:43 +0000

    net-libs/nodejs: add 18.20.1
    
    Bug: https://bugs.gentoo.org/928532
    Closes: https://github.com/gentoo/gentoo/pull/36216
    
    Signed-off-by: Matoro Mahri <matoro_gentoo@matoro.tk>
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   1 +
 net-libs/nodejs/nodejs-18.20.1.ebuild | 259 ++++++++++++++++++++++++++++++++++
 2 files changed, 260 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-05-27 04:59:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02f02180c053b0b19a07cac98b5e74f9aa2e0491

commit 02f02180c053b0b19a07cac98b5e74f9aa2e0491
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2024-05-27 04:57:11 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2024-05-27 04:57:11 +0000

    net-libs/nodejs: drop 18.17.1, 18.19.0, 20.6.1, 20.11.0
    
    Bug: https://bugs.gentoo.org/928532
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 net-libs/nodejs/Manifest              |   4 -
 net-libs/nodejs/nodejs-18.17.1.ebuild | 258 ---------------------------------
 net-libs/nodejs/nodejs-18.19.0.ebuild | 259 ---------------------------------
 net-libs/nodejs/nodejs-20.11.0.ebuild | 261 ---------------------------------
 net-libs/nodejs/nodejs-20.6.1.ebuild  | 262 ----------------------------------
 5 files changed, 1044 deletions(-)