OESA-2021-1114

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1114

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2021-1114.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2021-1114

Upstream

CVE-2021-22883

CVE-2021-22884

Published

2021-04-07T11:02:45Z

Modified

2025-08-12T05:07:20.697423Z

Summary

nodejs security update

Details

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.

Security Fix(es):

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.(CVE-2021-22883)

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.(CVE-2021-22884)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS / nodejs

Package

Name: nodejs
Purl: pkg:rpm/openEuler/nodejs&distro=openEuler-20.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.21.0-7.oe1

Ecosystem specific

{
    "x86_64": [
        "v8-devel-6.8.275.32-1.10.21.0.6.oe1.x86_64.rpm",
        "nodejs-full-i18n-10.21.0-6.oe1.x86_64.rpm",
        "nodejs-10.21.0-6.oe1.x86_64.rpm",
        "nodejs-debugsource-10.21.0-6.oe1.x86_64.rpm",
        "nodejs-libs-10.21.0-6.oe1.x86_64.rpm",
        "nodejs-devel-10.21.0-6.oe1.x86_64.rpm",
        "nodejs-debuginfo-10.21.0-6.oe1.x86_64.rpm",
        "npm-6.14.4-1.10.21.0.6.oe1.x86_64.rpm",
        "nodejs-libs-10.21.0-7.oe1.x86_64.rpm",
        "nodejs-debugsource-10.21.0-7.oe1.x86_64.rpm",
        "nodejs-debuginfo-10.21.0-7.oe1.x86_64.rpm",
        "nodejs-full-i18n-10.21.0-7.oe1.x86_64.rpm",
        "nodejs-devel-10.21.0-7.oe1.x86_64.rpm",
        "v8-devel-6.8.275.32-1.10.21.0.7.oe1.x86_64.rpm",
        "npm-6.14.4-1.10.21.0.7.oe1.x86_64.rpm",
        "nodejs-10.21.0-7.oe1.x86_64.rpm"
    ],
    "aarch64": [
        "npm-6.14.4-1.10.21.0.6.oe1.aarch64.rpm",
        "nodejs-libs-10.21.0-6.oe1.aarch64.rpm",
        "nodejs-debugsource-10.21.0-6.oe1.aarch64.rpm",
        "nodejs-full-i18n-10.21.0-6.oe1.aarch64.rpm",
        "nodejs-10.21.0-6.oe1.aarch64.rpm",
        "nodejs-debuginfo-10.21.0-6.oe1.aarch64.rpm",
        "nodejs-devel-10.21.0-6.oe1.aarch64.rpm",
        "v8-devel-6.8.275.32-1.10.21.0.6.oe1.aarch64.rpm",
        "npm-6.14.4-1.10.21.0.7.oe1.aarch64.rpm",
        "nodejs-debuginfo-10.21.0-7.oe1.aarch64.rpm",
        "v8-devel-6.8.275.32-1.10.21.0.7.oe1.aarch64.rpm",
        "nodejs-full-i18n-10.21.0-7.oe1.aarch64.rpm",
        "nodejs-devel-10.21.0-7.oe1.aarch64.rpm",
        "nodejs-10.21.0-7.oe1.aarch64.rpm",
        "nodejs-debugsource-10.21.0-7.oe1.aarch64.rpm",
        "nodejs-libs-10.21.0-7.oe1.aarch64.rpm"
    ],
    "noarch": [
        "nodejs-docs-10.21.0-6.oe1.noarch.rpm",
        "nodejs-docs-10.21.0-7.oe1.noarch.rpm"
    ],
    "src": [
        "nodejs-10.21.0-6.oe1.src.rpm",
        "nodejs-10.21.0-7.oe1.src.rpm"
    ]
}

openEuler:20.03-LTS-SP1 / nodejs

Package

Name: nodejs
Purl: pkg:rpm/openEuler/nodejs&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.21.0-7.oe1

Ecosystem specific

{
    "x86_64": [
        "nodejs-libs-10.21.0-7.oe1.x86_64.rpm",
        "nodejs-debugsource-10.21.0-7.oe1.x86_64.rpm",
        "nodejs-debuginfo-10.21.0-7.oe1.x86_64.rpm",
        "nodejs-full-i18n-10.21.0-7.oe1.x86_64.rpm",
        "nodejs-devel-10.21.0-7.oe1.x86_64.rpm",
        "v8-devel-6.8.275.32-1.10.21.0.7.oe1.x86_64.rpm",
        "npm-6.14.4-1.10.21.0.7.oe1.x86_64.rpm",
        "nodejs-10.21.0-7.oe1.x86_64.rpm"
    ],
    "aarch64": [
        "npm-6.14.4-1.10.21.0.7.oe1.aarch64.rpm",
        "nodejs-debuginfo-10.21.0-7.oe1.aarch64.rpm",
        "v8-devel-6.8.275.32-1.10.21.0.7.oe1.aarch64.rpm",
        "nodejs-full-i18n-10.21.0-7.oe1.aarch64.rpm",
        "nodejs-devel-10.21.0-7.oe1.aarch64.rpm",
        "nodejs-10.21.0-7.oe1.aarch64.rpm",
        "nodejs-debugsource-10.21.0-7.oe1.aarch64.rpm",
        "nodejs-libs-10.21.0-7.oe1.aarch64.rpm"
    ],
    "noarch": [
        "nodejs-docs-10.21.0-7.oe1.noarch.rpm"
    ],
    "src": [
        "nodejs-10.21.0-7.oe1.src.rpm"
    ]
}