CVE-2022-32215 The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2022-32215 after publication. Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability. Impacts: All versions of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2108509] Affects: fedora-all [bug 2108512] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108513] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2108510] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108514] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108515] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2108511] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108516] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2108517]
Respective commits: v14: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd v16: https://github.com/nodejs/node/commit/1da22eb48254f8c2d5f3c5865bb9f46e8b09ec60 v18: https://github.com/nodejs/node/commit/f2407748e3be07642d318ceb17366f62f41ddc33 This CVE was fixed by updating bundled dependency to newer version.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-32215