ALAS-2024-568

Amazon Linux 2023 Security Advisory: ALAS-2024-568
Advisory Release Date: 2024-03-13 20:41 Pacific
Advisory Updated Date: 2024-03-21 14:00 Pacific
Severity: Medium
Issue Overview:

NOTE: https://nodejs.org/en/blog/release/v18.19.1
NOTE: https://github.com/nodejs/node/commit/f31d47e135973746c4f490d5eb635eded8bb3dda (v18.x)
NOTE: https://github.com/nodejs/node/commit/9052ef43dc2d1b0db340591a9bc9e45a25c01d90 (main) (CVE-2024-22025)

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2024-24758)

c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist. (CVE-2024-25629)


Affected Packages:

nodejs


Issue Correction:
Run dnf update nodejs --releasever 2023.4.20240319 to update your system.

New Packages:
aarch64:
    nodejs-libs-debuginfo-18.18.2-1.amzn2023.0.3.aarch64
    nodejs-debuginfo-18.18.2-1.amzn2023.0.3.aarch64
    v8-10.2-devel-10.2.154.26-1.18.18.2.1.amzn2023.0.3.aarch64
    nodejs-devel-18.18.2-1.amzn2023.0.3.aarch64
    nodejs-full-i18n-18.18.2-1.amzn2023.0.3.aarch64
    nodejs-libs-18.18.2-1.amzn2023.0.3.aarch64
    nodejs-18.18.2-1.amzn2023.0.3.aarch64
    nodejs-npm-9.8.1-1.18.18.2.1.amzn2023.0.3.aarch64
    nodejs-debugsource-18.18.2-1.amzn2023.0.3.aarch64

noarch:
    nodejs-docs-18.18.2-1.amzn2023.0.3.noarch

src:
    nodejs-18.18.2-1.amzn2023.0.3.src

x86_64:
    nodejs-libs-debuginfo-18.18.2-1.amzn2023.0.3.x86_64
    nodejs-debuginfo-18.18.2-1.amzn2023.0.3.x86_64
    nodejs-devel-18.18.2-1.amzn2023.0.3.x86_64
    nodejs-full-i18n-18.18.2-1.amzn2023.0.3.x86_64
    nodejs-libs-18.18.2-1.amzn2023.0.3.x86_64
    v8-10.2-devel-10.2.154.26-1.18.18.2.1.amzn2023.0.3.x86_64
    nodejs-npm-9.8.1-1.18.18.2.1.amzn2023.0.3.x86_64
    nodejs-18.18.2-1.amzn2023.0.3.x86_64
    nodejs-debugsource-18.18.2-1.amzn2023.0.3.x86_64

Additional References

Red Hat: CVE-2024-22025, CVE-2024-24758, CVE-2024-25629

Mitre: CVE-2024-22025, CVE-2024-24758, CVE-2024-25629