Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header. Upstream advisory: https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1879340] Affects: fedora-all [bug 1879341] Created nodejs:11/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1879343] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1879344] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1879345] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1879346]
Statement: NodeJS is included in Red Hat Quay as a dependency of Yarn which is only used while building Red Hat Quay, and not during runtime.
Upstream fix : https://github.com/nodejs/llhttp/commit/9d9da1d0f18599ceddd8f484df5a5ad694d23361
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4272 https://access.redhat.com/errata/RHSA-2020:4272
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8201
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:4903 https://access.redhat.com/errata/RHSA-2020:4903
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:5086 https://access.redhat.com/errata/RHSA-2020:5086