[SECURITY] [DLA 3776-1] nodejs security update

Debian LTS Advisory DLA-3776-1 [email protected]
https://www.debian.org/lts/security/ Guilhem Moulin
March 26, 2024 https://wiki.debian.org/LTS

Package : nodejs
Version : 10.24.0~dfsg-1~deb10u4
CVE ID : CVE-2023-30590 CVE-2023-46809 CVE-2024-22025
Debian Bug : 1039990 1064055

Vulnerabilities have been found in Node.js, which could lead to denial
of service or information disclosure.

CVE-2023-30590

Ben Smyth reported an inconsistency between implementation and
documented design of the The generateKeys() API function, which
only generates missing (or outdated) keys, that is, it only
generates a private key if none has been set yet.
The documented behavior has been updated to reflect the current
implementation.

CVE-2023-46809

It was discovered that Node.js was vulnerable to the Marvin Attack,
allowing a covert timing side-channel during PKCS#1 v1.5 padding
error handling.  An attacker could remotely exploit the
vulnerability to decrypt captured RSA ciphertexts or forge
signatures, especially in scenarios involving API endpoints
processing Json Web Encryption messages.
The fix disables RSA_PKCS1_PADDING for crypto.privateDecrypt(), and
includes a security revert flag that can be used to restore support
(and the vulnerability).

CVE-2024-22025

It was discovered that Node.js was vulnerable to Denial of Service
by resource exhaustion in fetch() brotli decoding.

For Debian 10 buster, these problems have been fixed in version
10.24.0~dfsg-1~deb10u4.

We recommend that you upgrade your nodejs packages.

For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS