Security update for nodejs18
Announcement ID: | SUSE-SU-2023:2662-1 |
---|---|
Rating: | important |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves 10 vulnerabilities and has one security fix can now be installed.
Description:
This update for nodejs18 fixes the following issues:
Update to version 18.16.1:
- CVE-2023-30581: Fixed mainModule.proto Bypass Experimental Policy Mechanism (bsc#1212574).
- CVE-2023-30585: Fixed privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (bsc#1212579).
- CVE-2023-30588: Fixed process interuption due to invalid Public Key information in x509 certificates (bsc#1212581).
- CVE-2023-30589: Fixed HTTP Request Smuggling via empty headers separated by CR (bsc#1212582).
- CVE-2023-30590: Fixed DiffieHellman key generation after setting a private key (bsc#1212583).
- CVE-2023-31124: Fixed cross compilation issue with AutoTools that does not set CARES_RANDOM_FILE (bsc#1211607).
- CVE-2023-31130: Fixed buffer underwrite problem in ares_inet_net_pton() (bsc#1211606).
- CVE-2023-31147: Fixed insufficient randomness in generation of DNS query IDs (bsc#1211605).
- CVE-2023-32067: Fixed denial-of-service via 0-byte UDP payload (bsc#1211604).
- CVE-2022-25881: Fixed a Regular Expression Denial of Service (bsc#1208744).
Bug fixes:
- Increased the default timeout on unit tests from 2 to 20 minutes. This seems to have lead to build failures on some platforms, like s390x in Factory. (bsc#1211407)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
Web and Scripting Module 12
zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2023-2662=1
Package List:
-
Web and Scripting Module 12 (aarch64 ppc64le s390x x86_64)
- nodejs18-debugsource-18.16.1-8.9.1
- npm18-18.16.1-8.9.1
- nodejs18-debuginfo-18.16.1-8.9.1
- nodejs18-devel-18.16.1-8.9.1
- nodejs18-18.16.1-8.9.1
-
Web and Scripting Module 12 (noarch)
- nodejs18-docs-18.16.1-8.9.1
References:
- https://www.suse.com/security/cve/CVE-2022-25881.html
- https://www.suse.com/security/cve/CVE-2023-30581.html
- https://www.suse.com/security/cve/CVE-2023-30585.html
- https://www.suse.com/security/cve/CVE-2023-30588.html
- https://www.suse.com/security/cve/CVE-2023-30589.html
- https://www.suse.com/security/cve/CVE-2023-30590.html
- https://www.suse.com/security/cve/CVE-2023-31124.html
- https://www.suse.com/security/cve/CVE-2023-31130.html
- https://www.suse.com/security/cve/CVE-2023-31147.html
- https://www.suse.com/security/cve/CVE-2023-32067.html
- https://bugzilla.suse.com/show_bug.cgi?id=1208744
- https://bugzilla.suse.com/show_bug.cgi?id=1211407
- https://bugzilla.suse.com/show_bug.cgi?id=1211604
- https://bugzilla.suse.com/show_bug.cgi?id=1211605
- https://bugzilla.suse.com/show_bug.cgi?id=1211606
- https://bugzilla.suse.com/show_bug.cgi?id=1211607
- https://bugzilla.suse.com/show_bug.cgi?id=1212574
- https://bugzilla.suse.com/show_bug.cgi?id=1212579
- https://bugzilla.suse.com/show_bug.cgi?id=1212581
- https://bugzilla.suse.com/show_bug.cgi?id=1212582
- https://bugzilla.suse.com/show_bug.cgi?id=1212583