[ALAS-2020-1359] Amazon Linux AMI 2014.03 - ALAS-2020-1359: important priority package update for http-parser
Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-15605:
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
1800364: CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encoding header
CVE-2018-7159:
The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for Content-Length. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.
It was found that the http module from Node.js could accept incorrect Content-Length values, containing spaces within the value, in HTTP headers. A specially crafted client could use this flaw to possibly confuse the script, causing unspecified behavior.
CVE-2018-7159 nodejs: HTTP parser allowed for spaces inside Content-Length header values
1561981: CVE-2018-7159 nodejs: HTTP parser allowed for spaces inside Content-Length header values
CVE-2018-12121:
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.
CVE-2018-12121 nodejs: Denial of Service with large HTTP headers
1661002: CVE-2018-12121 nodejs: Denial of Service with large HTTP headers
| Package | Affected Version |
|---|---|
 pkg:rpm/amazonlinux/http-parser?arch=x86_64&distro=amazonlinux-1
|
< 2.9.3-1.2.amzn1 |
|
pkg:rpm/amazonlinux/http-parser?arch=i686&distro=amazonlinux-1
|
< 2.9.3-1.2.amzn1 |
|
pkg:rpm/amazonlinux/http-parser-devel?arch=x86_64&distro=amazonlinux-1
|
< 2.9.3-1.2.amzn1 |
|
pkg:rpm/amazonlinux/http-parser-devel?arch=i686&distro=amazonlinux-1
|
< 2.9.3-1.2.amzn1 |
|
pkg:rpm/amazonlinux/http-parser-debuginfo?arch=x86_64&distro=amazonlinux-1
|
< 2.9.3-1.2.amzn1 |
|
pkg:rpm/amazonlinux/http-parser-debuginfo?arch=i686&distro=amazonlinux-1
|
< 2.9.3-1.2.amzn1 |
- ID
- ALAS-2020-1359
- Severity
- important
- URL
- https://alas.aws.amazon.com/ALAS-2020-1359.html
- Published
-
2020-04-20T19:21:00
(4 years ago) - Modified
-
2020-04-23T23:03:00
(4 years ago) - Rights
- Amazon Linux Security Team
- Other Advisories
-
-
ALAS2-2019-1322
-
ALAS2-2020-1417
-
ALPINE:CVE-2018-12121
-
ALPINE:CVE-2018-7159
-
ALPINE:CVE-2019-15605
-
ALSA-2020:0579
-
ALSA-2020:0598
-
DSA-4669-1
-
ELSA-2019-2258
-
ELSA-2019-3497
-
ELSA-2020-0579
-
ELSA-2020-0598
-
ELSA-2020-0703
-
ELSA-2020-0708
-
FEDORA-2018-8049b2c488
-
FEDORA-2018-e672eaf4df
-
FEDORA-2018-ecf73042e3
-
FEDORA-2020-3838c8ea98
-
FEDORA-2020-47efc31973
-
FREEBSD:0032400F-624F-11EA-B495-000D3AB229D6
-
FREEBSD:2A86F45A-FC3C-11E8-A414-00155D006B02
-
FREEBSD:5A9BBB6E-32D3-11E8-A769-6DAABA161086
-
GLSA-202003-48
-
MS:CVE-2018-12121
-
openSUSE-SU-2019:0089-1
-
openSUSE-SU-2020:0293-1
-
RHSA-2019:2258
-
RHSA-2019:3497
-
RHSA-2020:0579
-
RHSA-2020:0598
-
RHSA-2020:0703
-
RHSA-2020:0708
-
RLSA-2020:0579
-
RLSA-2020:0598
-
SUSE-SU-2018:0952-1
-
SUSE-SU-2018:1183-1
-
SUSE-SU-2019:0117-1
-
SUSE-SU-2019:0118-1
-
SUSE-SU-2019:0395-1
-
SUSE-SU-2020:0427-1
-
SUSE-SU-2020:0429-1
-
SUSE-SU-2020:0454-1
-
SUSE-SU-2020:0455-1
-
SUSE-SU-2020:0488-1
-
USN-6380-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| CVE | CVE-2018-12121 |
|
|
| CVE | CVE-2018-7159 |
|
|
| CVE | CVE-2019-15605 |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:rpm/amazonlinux/http-parser?arch=x86_64&distro=amazonlinux-1 | amazonlinux |
http-parser
|
< 2.9.3-1.2.amzn1 | amazonlinux-1 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/http-parser?arch=i686&distro=amazonlinux-1 | amazonlinux |
http-parser
|
< 2.9.3-1.2.amzn1 | amazonlinux-1 | i686 | |
| Affected | pkg:rpm/amazonlinux/http-parser-devel?arch=x86_64&distro=amazonlinux-1 | amazonlinux |
http-parser-devel
|
< 2.9.3-1.2.amzn1 | amazonlinux-1 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/http-parser-devel?arch=i686&distro=amazonlinux-1 | amazonlinux |
http-parser-devel
|
< 2.9.3-1.2.amzn1 | amazonlinux-1 | i686 | |
| Affected | pkg:rpm/amazonlinux/http-parser-debuginfo?arch=x86_64&distro=amazonlinux-1 | amazonlinux |
http-parser-debuginfo
|
< 2.9.3-1.2.amzn1 | amazonlinux-1 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/http-parser-debuginfo?arch=i686&distro=amazonlinux-1 | amazonlinux |
http-parser-debuginfo
|
< 2.9.3-1.2.amzn1 | amazonlinux-1 | i686 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |