Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3344-1 nodejs

Debian Security Advisory

DLA-3344-1 nodejs -- LTS security update

Date Reported:

26 Feb 2023

Affected Packages:

nodejs

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 1023518, Bug 1031834.
In Mitre's CVE dictionary: CVE-2022-43548, CVE-2023-23920.

More information:

Vulnerabilities have been found in Node.js, which could result in DNS rebinding or arbitrary code execution.

• CVE-2022-43548

  The Node.js rebinding protector for --inspect still allows invalid IP addresses, specifically in octal format, which browsers such as Firefox attempt to resolve via DNS. When combined with an active --inspect session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code.

• CVE-2023-23920

  Ben Noordhuis reported that Node.js would search and potentially load ICU data when running with elevated privileges. Node.js now builds with ICU_NO_USER_DATA_OVERRIDE to avoid this.

For Debian 10 buster, these problems have been fixed in version 10.24.0~dfsg-1~deb10u3.

We recommend that you upgrade your nodejs packages.

For the detailed security status of nodejs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nodejs

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS