Amazon Linux 2022 Security Advisory: ALAS-2022-013
Advisory Release Date: 2022-01-25 10:58 Pacific
Advisory Updated Date: 2022-01-26 21:43 Pacific
An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2021-22959)
An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2021-22960)
Affected Packages:
nodejs
Issue Correction:
Run dnf update --releasever=2022.0.20220125 nodejs to update your system.
aarch64:
nodejs-libs-debuginfo-16.13.1-2.amzn2022.aarch64
v8-devel-9.4.146.24-1.16.13.1.2.amzn2022.aarch64
nodejs-devel-16.13.1-2.amzn2022.aarch64
nodejs-debuginfo-16.13.1-2.amzn2022.aarch64
nodejs-16.13.1-2.amzn2022.aarch64
nodejs-full-i18n-16.13.1-2.amzn2022.aarch64
nodejs-libs-16.13.1-2.amzn2022.aarch64
npm-8.1.2-1.16.13.1.2.amzn2022.aarch64
nodejs-debugsource-16.13.1-2.amzn2022.aarch64
noarch:
nodejs-docs-16.13.1-2.amzn2022.noarch
src:
nodejs-16.13.1-2.amzn2022.src
x86_64:
nodejs-libs-debuginfo-16.13.1-2.amzn2022.x86_64
nodejs-libs-16.13.1-2.amzn2022.x86_64
nodejs-debuginfo-16.13.1-2.amzn2022.x86_64
v8-devel-9.4.146.24-1.16.13.1.2.amzn2022.x86_64
nodejs-devel-16.13.1-2.amzn2022.x86_64
nodejs-16.13.1-2.amzn2022.x86_64
nodejs-full-i18n-16.13.1-2.amzn2022.x86_64
npm-8.1.2-1.16.13.1.2.amzn2022.x86_64
nodejs-debugsource-16.13.1-2.amzn2022.x86_64