ALAS2022-2022-019

A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host. (CVE-2021-44531)

It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host. (CVE-2021-44532)

A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries. (CVE-2021-44533)

Prototype pollution via console.table properties (CVE-2022-21824)

aarch64:
    nodejs-libs-debuginfo-16.13.2-3.amzn2022.aarch64
    v8-devel-9.4.146.24-1.16.13.2.3.amzn2022.aarch64
    nodejs-debuginfo-16.13.2-3.amzn2022.aarch64
    nodejs-devel-16.13.2-3.amzn2022.aarch64
    nodejs-full-i18n-16.13.2-3.amzn2022.aarch64
    nodejs-16.13.2-3.amzn2022.aarch64
    nodejs-libs-16.13.2-3.amzn2022.aarch64
    npm-8.1.2-1.16.13.2.3.amzn2022.aarch64
    nodejs-debugsource-16.13.2-3.amzn2022.aarch64

noarch:
    nodejs-docs-16.13.2-3.amzn2022.noarch

src:
    nodejs-16.13.2-3.amzn2022.src

x86_64:
    nodejs-libs-debuginfo-16.13.2-3.amzn2022.x86_64
    nodejs-full-i18n-16.13.2-3.amzn2022.x86_64
    nodejs-debuginfo-16.13.2-3.amzn2022.x86_64
    v8-devel-9.4.146.24-1.16.13.2.3.amzn2022.x86_64
    nodejs-16.13.2-3.amzn2022.x86_64
    nodejs-devel-16.13.2-3.amzn2022.x86_64
    nodejs-libs-16.13.2-3.amzn2022.x86_64
    npm-8.1.2-1.16.13.2.3.amzn2022.x86_64
    nodejs-debugsource-16.13.2-3.amzn2022.x86_64