[Buildroot] [PATCH] package/nodejs: security bump to version v12.21.0
Peter Korsgaard
peter at korsgaard.com
Fri Mar 5 10:57:27 UTC 2021
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
>> Fixes the following security issues:
>> CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
>> Affected Node.js versions are vulnerable to denial of service attacks when
>> too many connection attempts with an 'unknownProtocol' are established.
>> This leads to a leak of file descriptors. If a file descriptor limit is
>> configured on the system, then the server is unable to accept new
>> connections and prevent the process also from opening, e.g. a file. If no
>> file descriptor limit is configured, then this lead to an excessive memory
>> usage and cause the system to run out of memory.
>> CVE-2021-22884: DNS rebinding in --inspect
>> Affected Node.js versions are vulnerable to denial of service attacks when
>> the whitelist includes “localhost6”. When “localhost6” is not present in
>> /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e.,
>> over network. If the attacker controls the victim's DNS server or can spoof
>> its responses, the DNS rebinding protection can be bypassed by using the
>> “localhost6” domain. As long as the attacker uses the “localhost6” domain,
>> they can still apply the attack described in CVE-2018-7160.
>> For more details, see the advisory:
>> https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
>> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2020.02.x and 2020.11.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list