Synopsis
Moderate: rh-nodejs4-nodejs-tough-cookie security update
Type/Severity
Security Advisory: Moderate
Topic
An update for rh-nodejs4-nodejs-tough-cookie is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Tough-Cookie is a Node.js module that offers RFC6265 Cookies and Cookie Jar.
The following packages have been upgraded to a later upstream version: rh-nodejs4-nodejs-tough-cookie (2.3.3). (BZ#1497695)
Security Fix(es):
- Regular expression denial of service flaws were found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse a sufficiently large HTTP request Cookie header could cause the application to consume an excessive amount of CPU. (CVE-2016-1000232, CVE-2017-15010)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
-
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
-
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
Fixes
- BZ - 1359818 - CVE-2016-1000232 nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons
- BZ - 1493989 - CVE-2017-15010 nodejs-tough-cookie: Regular expression denial of service
CVEs
References