AlmaLinux 2324 Published by

The following updates have been released for AlmaLinux:

ALSA-2024:1902 Important: shim security update
ALSA-2024:1903 Important: shim bug fix update
ALSA-2024:2779 Important: nodejs:18 security update




ALSA-2024:1902 Important: shim security update

ID:
ALSA-2024:1902

Title:
ALSA-2024:1902 Important: shim security update

Type:
security

Severity:
important

Release date:
2024-05-10

Description
The shim package contains a first-stage UEFI boot loader that handles chaining
to a trusted full boot loader under secure boot environments.
Security Fix(es):
* shim: RCE in http boot support may lead to Secure Boot bypass (CVE-2023-40547)
* shim: Interger overflow leads to heap buffer overflow in verify_sbat_section
on 32-bits systems (CVE-2023-40548)
* shim: Out-of-bounds read printing error messages (CVE-2023-40546)
* shim: Out-of-bounds read in verify_buffer_authenticode() malformed PE file
(CVE-2023-40549)
* shim: Out-of-bound read in verify_buffer_sbat() (CVE-2023-40550)
* shim: out of bounds read when parsing MZ binaries (CVE-2023-40551)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:
CVE-2023-40546
CVE-2023-40547
CVE-2023-40548
CVE-2023-40549
CVE-2023-40550
CVE-2023-40551
RHSA-2024:1902
ALSA-2024:1902

Updated packages listed below:
Architecture
Package
Checksum
aarch64
shim-aa64-15.8-4.el8_9.alma.1.aarch64.rpm
99a983eeec0afc0dd5d88f798da359cf30643dcd4782fe659dbc82b50cda5106
x86_64
shim-ia32-15.8-4.el8_9.alma.1.x86_64.rpm
112fcb50a67218cc56c32d07c169a3f2b1c9361875cbe4f55232187e91900b44
x86_64
shim-x64-15.8-4.el8_9.alma.1.x86_64.rpm
7f274577375b61be494a295b6c31c280bca6c95c2f7b8be7dd4f5e0f938241f6

Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.

  ALSA-2024:1902 Important: shim security update


ALSA-2024:1903 Important: shim bug fix update

ID:
ALSA-2024:1903

Title:
ALSA-2024:1903 Important: shim bug fix update

Type:
security

Severity:
important

Release date:
2024-05-10

Description
The shim package contains a first-stage UEFI boot loader that handles chaining
to a trusted full boot loader under secure boot environments.
Security Fix(es):
* shim: RCE in http boot support may lead to Secure Boot bypass (CVE-2023-40547)
* shim: Interger overflow leads to heap buffer overflow in verify_sbat_section
on 32-bits systems (CVE-2023-40548)
* shim: Out-of-bounds read printing error messages (CVE-2023-40546)
* shim: Out-of-bounds read in verify_buffer_authenticode() malformed PE file
(CVE-2023-40549)
* shim: Out-of-bound read in verify_buffer_sbat() (CVE-2023-40550)
* shim: out of bounds read when parsing MZ binaries (CVE-2023-40551)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:
CVE-2023-40546
CVE-2023-40547
CVE-2023-40548
CVE-2023-40549
CVE-2023-40550
CVE-2023-40551
RHSA-2024:1903
ALSA-2024:1903

Updated packages listed below:
Architecture
Package
Checksum
aarch64
shim-aa64-15.8-4.el9_3.alma.1.aarch64.rpm
4a7bca322558df7438c021d5dc35c1994c240fe6fdead45b72326886c7e5e29b
x86_64
shim-x64-15.8-4.el9_3.alma.1.x86_64.rpm
190274ec5c3d10347c176cf70168fda177502feb1cf74aa61e1759596c481460

Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.

  ALSA-2024:1903 Important: shim bug fix update


ALSA-2024:2779 Important: nodejs:18 security update

ID:
ALSA-2024:2779

Title:
ALSA-2024:2779 Important: nodejs:18 security update

Type:
security

Severity:
important

Release date:
2024-05-10

Description
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
* nodejs: CONTINUATION frames DoS (CVE-2024-27983)
* nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service (CVE-2024-22025)
* nodejs: HTTP Request Smuggling via Content Length Obfuscation (CVE-2024-27982)
* nghttp2: CONTINUATION frames DoS (CVE-2024-28182)
* c-ares: Out of bounds read in ares__read_line() (CVE-2024-25629)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:
CVE-2024-22025
CVE-2024-25629
CVE-2024-27982
CVE-2024-27983
CVE-2024-28182
RHSA-2024:2779
ALSA-2024:2779

Updated packages listed below:
Architecture
Package
Checksum
aarch64
nodejs-full-i18n-18.20.2-2.module_el9.4.0+99+a01f7676.aarch64.rpm
b5aa6680f80a619769ffb71b287e7a7fe312e0d99457fa2f2ea361f78a04d7bd
aarch64
nodejs-devel-18.20.2-2.module_el9.4.0+99+a01f7676.aarch64.rpm
bfa9db5edf1de13c2786d690ae3ce7c7bc4b64b938f209ccd46eacdf1565f076
aarch64
nodejs-18.20.2-2.module_el9.4.0+99+a01f7676.aarch64.rpm
e054005eb786971341e9569e5e955bd20ebb05cd255971c55792b6559e9f74a8
aarch64
npm-10.5.0-1.18.20.2.2.module_el9.4.0+99+a01f7676.aarch64.rpm
f84133c5740d92b8f5c3149f1df371a3dc60c357d4d1fce58b3fb4613dd1347b
noarch
nodejs-docs-18.20.2-2.module_el9.4.0+99+a01f7676.noarch.rpm
5046029717db3f41b95ac1e0a4d7e166800f21dcaeb1f00767c2fdb2498e7df7
noarch
nodejs-nodemon-3.0.1-1.module_el9.2.0+36+853e48f5.noarch.rpm
6e3f86ef560d05b76cc9e5f81bdbcf1617374c3c12815325d267d44057a954e8
noarch
nodejs-packaging-2021.06-4.module_el9.1.0+13+d9a595ea.noarch.rpm
7c19c5f85137e7d0b3132a379dc2d5364bd19e6da1ecee409666857bcc1a68d8
noarch
nodejs-packaging-bundler-2021.06-4.module_el9.1.0+13+d9a595ea.noarch.rpm
8c650e8cd661aec62ef26c2867e44b6902ba928bcd228650ecf14be525515ad0
ppc64le
npm-10.5.0-1.18.20.2.2.module_el9.4.0+99+a01f7676.ppc64le.rpm
109d4199141c2527c709c4b98ce872c512cf5696e78587c19d15361d51863333
ppc64le
nodejs-devel-18.20.2-2.module_el9.4.0+99+a01f7676.ppc64le.rpm
5182ed8bd0adf93aa7e8b6d955d31606d04a1eaef476ecac0bd1aa1821885bc8
ppc64le
nodejs-full-i18n-18.20.2-2.module_el9.4.0+99+a01f7676.ppc64le.rpm
6f833b8ef8852584f9fa6b06cbc887d9ff595485c8af4668775e7a7732427134
ppc64le
nodejs-18.20.2-2.module_el9.4.0+99+a01f7676.ppc64le.rpm
d40c7b85a4bfd7d4d37cc73a998583e0a5f020ae21b288a6d5b6d2408c84e54a
s390x
npm-10.5.0-1.18.20.2.2.module_el9.4.0+99+a01f7676.s390x.rpm
131cd8beac23c513c7d525b077795b16f068d830c2e57bff7eff19ddccb1298c
s390x
nodejs-devel-18.20.2-2.module_el9.4.0+99+a01f7676.s390x.rpm
3f26d8194c092068bd17c1efb605b2d1c84b18aa96c71124556f567babb55004
s390x
nodejs-18.20.2-2.module_el9.4.0+99+a01f7676.s390x.rpm
7d8175707b2c2f36e3e44f38d6ea23ceb05687aebf7e98630c209ee9ed2ac781
s390x
nodejs-full-i18n-18.20.2-2.module_el9.4.0+99+a01f7676.s390x.rpm
fe5591f91e88dca0ee96ec7df5c50878619df0b03989d6a2e86c590b71e20d4c
x86_64
nodejs-devel-18.20.2-2.module_el9.4.0+99+a01f7676.x86_64.rpm
3bdcc40b0d169f60e579adbd75fd37f01a9fa1f31f529475393e30d426621240
x86_64
nodejs-full-i18n-18.20.2-2.module_el9.4.0+99+a01f7676.x86_64.rpm
56173548dce369afbc5448b4d3b35d9070f9e60533af84fd4626330fcf72150f
x86_64
npm-10.5.0-1.18.20.2.2.module_el9.4.0+99+a01f7676.x86_64.rpm
93dd320eb71046bcfbf90bafd5cad9ca608272228df929d39eb637cf5a36ef19
x86_64
nodejs-18.20.2-2.module_el9.4.0+99+a01f7676.x86_64.rpm
de41eb565929e269feca98939a3d65cfc8e9bad768db04862fb65157d82d543e

Notes:
This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.

  ALSA-2024:2779 Important: nodejs:18 security update