drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in Node.js
Name: |
Mehrere Probleme in Node.js |
|
ID: |
USN-6672-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10 |
|
Datum: |
Di, 5. März 2024, 06:49 |
|
Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920 |
|
Applikationen: |
node.js |
|
Originalnachricht |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============8412097823925259706== Content-Language: en-US Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------yPKq9zGEtwC8gjItrG9ilGve"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------yPKq9zGEtwC8gjItrG9ilGve Content-Type: multipart/mixed; boundary="------------TliUknA74ZbTkNJZc0cinLEu"; protected-headers="v1" From: Amir Naseredini <amir.naseredini@canonical.com> To: ubuntu-security-announce@lists.ubuntu.com Message-ID: <27ff5f2d-455e-433e-b7a7-6ad84ba2c3fa@canonical.com> Subject: [USN-6672-1] Node.js vulnerabilities
--------------TliUknA74ZbTkNJZc0cinLEu Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64
========================================================================== Ubuntu Security Notice USN-6672-1 March 04, 2024
nodejs vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Node.js.
Software Description: - nodejs: An open-source, cross-platform JavaScript runtime environment.
Details:
Morgan Jones discovered that Node.js incorrectly handled certain inputs that leads to false positive errors during some cryptographic operations. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.10. (CVE-2023-23919)
It was discovered that Node.js incorrectly handled certain inputs leaded to a untrusted search path vulnerability. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a privilege escalation. (CVE-2023-23920)
Matt Caswell discovered that Node.js incorrectly handled certain inputs with specially crafted ASN.1 object identifiers or data containing them. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-2650)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 23.10: libnode108 18.13.0+dfsg1-1ubuntu2.1 nodejs 18.13.0+dfsg1-1ubuntu2.1
Ubuntu 22.04 LTS: libnode72 12.22.9~dfsg-1ubuntu3.4 nodejs 12.22.9~dfsg-1ubuntu3.4
Ubuntu 20.04 LTS: libnode64 10.19.0~dfsg-3ubuntu1.5 nodejs 10.19.0~dfsg-3ubuntu1.5
In general, a standard system update will make all the necessary changes.
References: https://ubuntu.com/security/notices/USN-6672-1 CVE-2023-23919, CVE-2023-23920, CVE-2023-2650
Package Information: https://launchpad.net/ubuntu/+source/nodejs/18.13.0+dfsg1-1ubuntu2.1 https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.4 https://launchpad.net/ubuntu/+source/nodejs/10.19.0~dfsg-3ubuntu1.5
--------------TliUknA74ZbTkNJZc0cinLEu--
--------------yPKq9zGEtwC8gjItrG9ilGve Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc"
-----BEGIN PGP SIGNATURE-----
wsD5BAABCAAjFiEELRdhz3KY7FGicMD8Vjg+NdFTuLIFAmXltG4FAwAAAAAACgkQVjg+NdFTuLKX +Av+JO67ERBeLlJ6HXKWpz57ia5oHcIFzhtd4c6SHUv5f51hGO+vDUjCsk643WOq2BO1CUc6YPUo LFRRh3XA86NfmePtF6qUynfZvzdc8xdxF90tH7bBWYUdVLANbeYBGMUmXYQmzVR/sLwO6o2TbDIq w130ee2uIxgVPv+jW5mZbSpbg5xEu1QDdv7XUxSzTCDXUt0tZdPRFcz+T7FvGziqoJtDZGq1HE/B Q9kKGzOVuHiLtyRzqy2XyzaHlCYUKIE0mXrxaa92sz8wt1+6YQby0DVOHO7Sm58ikIaJEt09fal/ kWWif8iw2yCARDU74UPKHbuGSkw8zBXMi+MHCMJOwE/VYej6XbqQCprCl4lLfN1y8bbvbJeg7R7q AqglxpF2dOiCnUoR0PQ5yTPeFda1njcnT/mF77Y6m5sSjiati5RWo1Ko24whm+goT/A+J4TTzAni wgfg6A0uwgsd//Kh93jhGP+hGDAdz9tsBDaS6nduqrvbYLpQDJDVevfb0B2h =Je3X -----END PGP SIGNATURE-----
--------------yPKq9zGEtwC8gjItrG9ilGve--
--===============8412097823925259706== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline
Cg==
--===============8412097823925259706==--
|
|
|
|