Hide Forgot
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. Reference: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2040845] Affects: fedora-all [bug 2040841] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040842] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040843] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040844]
Upstream fix : https://github.com/nodejs/node/commit/50439b446f1e6bfc91f03d4b070edb5357b16b8b