Все бюллетени/sisyphus_riscv64/ALT-PU-2024-6089-1
ALT-PU-2024-6089-1

Обновление пакета node в ветке sisyphus_riscv64

Версия20.12.1-alt1
Задание#0
Опубликовано2024-04-07
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (2)

CVE-2024-27982
MEDIUM6.5

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.

Опубликовано: 2024-05-07Изменено: 2026-04-15
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Ссылки
CVE-2024-27983
HIGH8.2

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Опубликовано: 2024-04-09Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 8.2
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Ссылки