Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. Reference: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2040845] Affects: fedora-all [bug 2040841] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040842] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040843] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040844]
Upstream fix : https://github.com/nodejs/node/commit/50439b446f1e6bfc91f03d4b070edb5357b16b8b
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-44531
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7830 https://access.redhat.com/errata/RHSA-2022:7830
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742