Security update for nodejs16
Announcement ID: | SUSE-SU-2022:3196-1 |
---|---|
Rating: | moderate |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves four vulnerabilities and has one security fix can now be installed.
Description:
This update for nodejs16 fixes the following issues:
- CVE-2022-35949: Fixed SSRF when an application takes in user input into the path/pathname option of undici.request (bsc#1202382).
- CVE-2022-35948: Fixed CRLF injection via Content-Type (bsc#1202383).
- CVE-2022-29244: Fixed npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace (bsc#1200517).
- CVE-2022-31150: Fixed CRLF injection in node-undici (bsc#1201710).
Bugfixes:
- Enable crypto-policies for SLE15 SP4+ and TW (bsc#1200303)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
Web and Scripting Module 12
zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2022-3196=1
Package List:
-
Web and Scripting Module 12 (aarch64 ppc64le s390x x86_64)
- nodejs16-16.17.0-8.9.1
- nodejs16-debugsource-16.17.0-8.9.1
- npm16-16.17.0-8.9.1
- nodejs16-debuginfo-16.17.0-8.9.1
- nodejs16-devel-16.17.0-8.9.1
-
Web and Scripting Module 12 (noarch)
- nodejs16-docs-16.17.0-8.9.1
References:
- https://www.suse.com/security/cve/CVE-2022-29244.html
- https://www.suse.com/security/cve/CVE-2022-31150.html
- https://www.suse.com/security/cve/CVE-2022-35948.html
- https://www.suse.com/security/cve/CVE-2022-35949.html
- https://bugzilla.suse.com/show_bug.cgi?id=1200303
- https://bugzilla.suse.com/show_bug.cgi?id=1200517
- https://bugzilla.suse.com/show_bug.cgi?id=1201710
- https://bugzilla.suse.com/show_bug.cgi?id=1202382
- https://bugzilla.suse.com/show_bug.cgi?id=1202383