Security update for nodejs14
Announcement ID: | SUSE-SU-2021:3184-1 |
---|---|
Rating: | important |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves five vulnerabilities can now be installed.
Description:
This update for nodejs14 fixes the following issues:
- CVE-2021-3672: Fixed missing input validation on hostnames (bsc#1188881).
- CVE-2021-22931: Fixed improper handling of untypical characters in domain names (bsc#1189370).
- CVE-2021-22940: Use after free on close http2 on stream canceling (bsc#1189368)
- CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (bsc#1189369)
- CVE-2021-22930: Fixed use after free on close http2 on stream canceling (bsc#1188917).
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
Web and Scripting Module 12
zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2021-3184=1
Package List:
-
Web and Scripting Module 12 (aarch64 ppc64le s390x x86_64)
- nodejs14-debugsource-14.17.5-6.15.3
- npm14-14.17.5-6.15.3
- nodejs14-devel-14.17.5-6.15.3
- nodejs14-debuginfo-14.17.5-6.15.3
- nodejs14-14.17.5-6.15.3
-
Web and Scripting Module 12 (noarch)
- nodejs14-docs-14.17.5-6.15.3
References:
- https://www.suse.com/security/cve/CVE-2021-22930.html
- https://www.suse.com/security/cve/CVE-2021-22931.html
- https://www.suse.com/security/cve/CVE-2021-22939.html
- https://www.suse.com/security/cve/CVE-2021-22940.html
- https://www.suse.com/security/cve/CVE-2021-3672.html
- https://bugzilla.suse.com/show_bug.cgi?id=1188881
- https://bugzilla.suse.com/show_bug.cgi?id=1188917
- https://bugzilla.suse.com/show_bug.cgi?id=1189368
- https://bugzilla.suse.com/show_bug.cgi?id=1189369
- https://bugzilla.suse.com/show_bug.cgi?id=1189370