Category Archives: Advisories

nodejs20-20.12.2-1.fc40

Read Time:6 Minute, 1 Second

FEDORA-2024-2ffe03eaa6

Packages in this update:

nodejs20-20.12.2-1.fc40

Update description:

2024-04-03, Version 20.12.1 ‘Iron’ (LTS), @RafaelGSS

This is a security release

Notable Changes

CVE-2024-27983 – Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
CVE-2024-27982 – HTTP Request Smuggling via Content Length Obfuscation – (Medium)
llhttp version 9.2.1
undici version 5.28.4

Commits

[bd8f10a257] – deps: update undici to v5.28.4 (Matteo Collina) nodejs-private/node-private#576
[5e34540a96] – http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#557
[ba1ae6d188] – src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

2024-04-03, Version 20.12.1 ‘Iron’ (LTS), @RafaelGSS

This is a security release

Notable Changes

CVE-2024-27983 – Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
CVE-2024-27982 – HTTP Request Smuggling via Content Length Obfuscation – (Medium)
llhttp version 9.2.1
undici version 5.28.4

2024-03-26, Version 20.12.0 ‘Iron’ (LTS), @richardlau

Notable Changes

crypto: implement crypto.hash()

This patch introduces a helper crypto.hash() that computes
a digest from the input at one shot. This can be 1.2-2x faster
than the object-based createHash() for smaller inputs (<= 5MB)
that are readily available (not streamed) and incur less memory
overhead since no intermediate objects will be created.

const crypto = require(‘node:crypto’);

// Hashing a string and return the result as a hex-encoded string.
const string = ‘Node.js’;
// 10b3493287f831e81a438811a1ffba01f8cec4b7
console.log(crypto.hash(‘sha1’, string));

Contributed by Joyee Cheung in #51044.

Loading and parsing environment variables

process.loadEnvFile(path):
Use this function to load the .env file. If no path is specified, it automatically loads the .env file in the current directory. Example: process.loadEnvFile().

Load a specific .env file by specifying its path. Example: process.loadEnvFile(‘./development.env’).

util.parseEnv(content):

Use this function to parse an existing string containing environment variable assignments.
Example usage: require(‘node:util’).parseEnv(‘HELLO=world’).

Contributed by Yagiz Nizipli in #51476.

New connection attempt events

Three new events were added in the net.createConnection flow:

connectionAttempt: Emitted when a new connection attempt is established. In case of Happy Eyeballs, this might emitted multiple times.
connectionAttemptFailed: Emitted when a connection attempt failed. In case of Happy Eyeballs, this might emitted multiple times.
connectionAttemptTimeout: Emitted when a connection attempt timed out. In case of Happy Eyeballs, this will not be emitted for the last attempt. This is not emitted at all if Happy Eyeballs is not used.

Additionally, a previous bug has been fixed where a new connection attempt could have been started after a previous one failed and after the connection was destroyed by the user.
This led to a failed assertion.

Contributed by Paolo Insogna in #51045.

Permission Model changes

Node.js 20.12.0 comes with several fixes for the experimental permission model and two new semver-minor commits.
We’re adding a new flag –allow-addons to enable addon usage when using the Permission Model.

$ node –experimental-permission –allow-addons

Contributed by Rafael Gonzaga in #51183

And relative paths are now supported through the –allow-fs-* flags.
Therefore, with this release one can use:

$ node –experimental-permission –allow-fs-read=./index.js

To give only read access to the entrypoint of the application.

Contributed by Rafael Gonzaga and Carlos Espa in #50758.

sea: support embedding assets

Users can now include assets by adding a key-path dictionary
to the configuration as the assets field. At build time, Node.js
would read the assets from the specified paths and bundle them into
the preparation blob. In the generated executable, users can retrieve
the assets using the sea.getAsset() and sea.getAssetAsBlob() API.

{
“main”: “/path/to/bundled/script.js”,
“output”: “/path/to/write/the/generated/blob.blob”,
“assets”: {
“a.jpg”: “/path/to/a.jpg”,
“b.txt”: “/path/to/b.txt”
}
}

The single-executable application can access the assets as follows:

const { getAsset } = require(‘node:sea’);
// Returns a copy of the data in an ArrayBuffer
const image = getAsset(‘a.jpg’);
// Returns a string decoded from the asset as UTF8.
const text = getAsset(‘b.txt’, ‘utf8’);
// Returns a Blob containing the asset without copying.
const blob = getAssetAsBlob(‘a.jpg’);

Contributed by Joyee Cheung in #50960.

Support configurable snapshot through –build-snapshot-config flag

We are adding a new flag –build-snapshot-config to configure snapshots through a custom JSON configuration file.

$ node –build-snapshot-config=/path/to/myconfig.json

When using this flag, additional script files provided on the command line will
not be executed and instead be interpreted as regular command line arguments.

These changes were contributed by Joyee Cheung and Anna Henningsen in #50453

Text Styling

util.styleText(format, text): This function returns a formatted text considering the format passed.

A new API has been created to format text based on util.inspect.colors, enabling you to style text in different colors (such as red, blue, …) and emphasis (italic, bold, …).

const { styleText } = require(‘node:util’);
const errorMessage = styleText(‘red’, ‘Error! Error!’);
console.log(errorMessage);

Contributed by Rafael Gonzaga in #51850.

vm: support using the default loader to handle dynamic import()

This patch adds support for using vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER as the
importModuleDynamically option in all vm APIs that take this option except vm.SourceTextModule. This allows users to have a shortcut to support dynamic import() in the compiled code without missing the compilation cache if they don’t need customization of the loading process. We emit an experimental warning when the import() is actually handled by the default loader through this option instead of requiring –experimental-vm-modules.

const { Script, constants } = require(‘node:vm’);
const { resolve } = require(‘node:path’);
const { writeFileSync } = require(‘node:fs’);

// Write test.js and test.txt to the directory where the current script
// being run is located.
writeFileSync(resolve(__dirname, ‘test.mjs’),
‘export const filename = “./test.json”;’);
writeFileSync(resolve(__dirname, ‘test.json’),
‘{“hello”: “world”}’);

// Compile a script that loads test.mjs and then test.json
// as if the script is placed in the same directory.
const script = new Script(
`(async function() {
const { filename } = await import(‘./test.mjs’);
return import(filename, { with: { type: ‘json’ } })
})();`,
{
filename: resolve(__dirname, ‘test-with-default.js’),
importModuleDynamically: constants.USE_MAIN_CONTEXT_DEFAULT_LOADER,
});

// { default: { hello: ‘world’ } }
script.runInThisContext().then(console.log);

Contributed by Joyee Cheung in #51244.

Root certificates updated to NSS 3.98

Certificates added:

Telekom Security TLS ECC Root 2020
Telekom Security TLS RSA Root 2023

Certificates removed:

Security Communication Root CA

Updated dependencies

acorn updated to 8.11.3.
ada updated to 2.7.6.
base64 updated to 0.5.2.
brotli updated to 1.1.0.
c-ares updated to 1.27.0.
corepack updated to 0.25.2.
ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1.
nghttp2 updated to 1.60.0.
npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes.
simdutf8 updated to 4.0.8.
Timezone updated to 2024a.
zlib updated to 1.3.0.1-motley-40e35a7.

Include Provides: nodejs20-* for non-versioned packages.

Read More

nodejs20-20.12.2-1.fc39

Read Time:53 Second

FEDORA-2024-e28ccc9c17

Packages in this update:

nodejs20-20.12.2-1.fc39

Update description:

2024-04-03, Version 20.12.1 ‘Iron’ (LTS), @RafaelGSS

This is a security release

Notable Changes

CVE-2024-27983 – Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
CVE-2024-27982 – HTTP Request Smuggling via Content Length Obfuscation – (Medium)
llhttp version 9.2.1
undici version 5.28.4

Commits

[bd8f10a257] – deps: update undici to v5.28.4 (Matteo Collina) nodejs-private/node-private#576
[5e34540a96] – http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#557
[ba1ae6d188] – src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

2024-04-03, Version 20.12.1 ‘Iron’ (LTS), @RafaelGSS

This is a security release

Notable Changes

CVE-2024-27983 – Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
CVE-2024-27982 – HTTP Request Smuggling via Content Length Obfuscation – (Medium)
llhttp version 9.2.1
undici version 5.28.4

Read More

USN-6728-2: Squid regression

Read Time:1 Minute, 6 Second

USN-6728-1 fixed vulnerabilities in Squid. The fix for CVE-2023-5824 caused
Squid to crash in certain environments on Ubuntu 20.04 LTS. The problematic
fix has been reverted pending further investigation.

We apologize for the inconvenience.

Original advisory details:

Joshua Rogers discovered that Squid incorrectly handled collapsed
forwarding. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-49288)

Joshua Rogers discovered that Squid incorrectly handled certain structural
elements. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. (CVE-2023-5824)

Joshua Rogers discovered that Squid incorrectly handled Cache Manager error
responses. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-23638)

Joshua Rogers discovered that Squid incorrectly handled the HTTP Chunked
decoder. A remote attacker could possibly use this issue to cause Squid to
stop responding, resulting in a denial of service. (CVE-2024-25111)

Joshua Rogers discovered that Squid incorrectly handled HTTP header
parsing. A remote trusted client can possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2024-25617)

Read More

[KIS-2024-03] Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability

Read Time:12 Second

Posted by Egidio Romano on Apr 10

——————————————————————————
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
——————————————————————————

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

Version 4.7.16 and prior versions.

[-] Vulnerability Description:

The vulnerability is located in the…

Read More

[KIS-2024-02] Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability

Read Time:15 Second

Posted by Egidio Romano on Apr 10

——————————————————————–
Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability
——————————————————————–

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

All versions from 4.4.0 to 4.7.15.

[-] Vulnerability Description:

The vulnerability is located in the
/applications/nexus/modules/front/store/store.php script….

Read More

Multiple Issues in concretecmsv9.2.7

Read Time:24 Second

Posted by Andrey Stoykov on Apr 10

# Exploit Title: Multiple Web Flaws in concretecmsv9.2.7
# Date: 4/2024
# Exploit Author: Andrey Stoykov
# Version: 9.2.7
# Tested on: Ubuntu 22.04
# Blog: http://msecureltd.blogspot.com

Verbose Error Message – Stack Trace:

1. Directly browse to edit profile page
2. Error should come up with verbose stack trace

Verbose Error Message – SQL Error:

1. Page Settings > Design > Save Changes
2. Intercept HTTP POST request and place single…

Read More

OXAS-ADV-2024-0001: OX App Suite Security Advisory

Read Time:23 Second

Posted by Martin Heiland via Fulldisclosure on Apr 10

Dear subscribers,

We’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at
https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0001.html.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH…

Read More

Trojan.Win32.Razy.abc / Insecure Permissions (In memory IPC)

Read Time:17 Second

Posted by malvuln on Apr 10

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/0eb4a9089d3f7cf431d6547db3b9484d.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Razy.abc
Vulnerability: Insecure Permissions (In memory IPC)
Family: Razy
Type: PE32
MD5: 0eb4a9089d3f7cf431d6547db3b9484d
SHA256: 3d82fee314e7febb8307ccf8a7396b6dd53c7d979a74aa56f3c4a6d0702fd098
Vuln ID: MVID-2024-0678…

Read More

CVE-2023-27195: Broken Access Control – Registration Code in TM4Web v22.2.0

Read Time:24 Second

Posted by Clément Cruchet on Apr 10

CVE ID: CVE-2023-27195

Description:
An access control issue in Trimble TM4Web v22.2.0 allows
unauthenticated attackers to access a specific crafted URL path to
retrieve the last registration access code and use this access code to
register a valid account. If the access code was used to create an
Administrator account, attackers are also able to register new
Administrator accounts with full rights and privileges.

Vulnerability Type: Broken…

Read More

python-django3-3.2.25-1.el9

Read Time:14 Second

FEDORA-EPEL-2024-76d6941f10

Packages in this update:

python-django3-3.2.25-1.el9

Update description:

Security fixes for

CVE-2024-27351 Potential regular expression DOS in django.utils.text.Truncator.words()
CVE-2023-41164 Potential DOS vulnerability in django.utils.encoding.uri_to_iri()

Read More