Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. Reference: https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
Created libuv tracking bugs for this issue: Affects: epel-7 [bug 1979345] Affects: fedora-all [bug 1979339] Affects: openstack-rdo [bug 1979346] Created nodejs:10/libuv tracking bugs for this issue: Affects: fedora-all [bug 1979340] Created nodejs:12/libuv tracking bugs for this issue: Affects: fedora-all [bug 1979341] Created nodejs:14/libuv tracking bugs for this issue: Affects: fedora-all [bug 1979342] Created nodejs:15/libuv tracking bugs for this issue: Affects: fedora-all [bug 1979343] Created nodejs:16/libuv tracking bugs for this issue: Affects: fedora-all [bug 1979344]
Upstream patch: https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 1979598] Affects: fedora-all [bug 1979591] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979592] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979593] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979599] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979595] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979596] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1979597]
Hacker one reference (public) : https://hackerone.com/reports/1209681
Upstream fix commit in nodejs 16 : https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829
Upstream fix commit in libuv : https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae
Created libuv tracking bugs for this issue: Affects: epel-7 [bug 1979925] Affects: fedora-all [bug 1979924]
libuv versions >= 1.24.0 are vulnerable (the first vulnerable commit appears to be https://github.com/libuv/libuv/commit/6dd44caa)
Created libuv tracking bugs for this issue: Affects: openstack-rdo [bug 1980076]
Note : As distributed by Red Hat, a maximum of 3 bytes out of bound can be read. This would not be sufficient to crash nodejs or other applications using libuv, unless it was recompiled using an address sanitizer. The memory disclosure is also very limited.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2931 https://access.redhat.com/errata/RHSA-2021:2931
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2932 https://access.redhat.com/errata/RHSA-2021:2932
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22918
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3073 https://access.redhat.com/errata/RHSA-2021:3073
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3074 https://access.redhat.com/errata/RHSA-2021:3074
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3075 https://access.redhat.com/errata/RHSA-2021:3075
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638