Security update for nodejs16
Announcement ID: | SUSE-SU-2023:2655-1 |
---|---|
Rating: | important |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves nine vulnerabilities and has one security fix can now be installed.
Description:
This update for nodejs16 fixes the following issues:
Update to version 16.20.1:
- CVE-2023-30581: Fixed mainModule.proto Bypass Experimental Policy Mechanism (bsc#1212574).
- CVE-2023-30585: Fixed privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (bsc#1212579).
- CVE-2023-30588: Fixed process interuption due to invalid Public Key information in x509 certificates (bsc#1212581).
- CVE-2023-30589: Fixed HTTP Request Smuggling via empty headers separated by CR (bsc#1212582).
- CVE-2023-30590: Fixed DiffieHellman key generation after setting a private key (bsc#1212583).
- CVE-2023-31124: Fixed cross compilation issue with AutoTools that does not set CARES_RANDOM_FILE (bsc#1211607).
- CVE-2023-31130: Fixed buffer underwrite problem in ares_inet_net_pton() (bsc#1211606).
- CVE-2023-31147: Fixed insufficient randomness in generation of DNS query IDs (bsc#1211605).
- CVE-2023-32067: Fixed denial-of-service via 0-byte UDP payload (bsc#1211604).
Bug fixes:
- Increased the default timeout on unit tests from 2 to 20 minutes. This seems to have lead to build failures on some platforms, like s390x in Factory. (bsc#1211407)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
Web and Scripting Module 12
zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2023-2655=1
Package List:
-
Web and Scripting Module 12 (aarch64 ppc64le s390x x86_64)
- nodejs16-debugsource-16.20.1-8.30.1
- npm16-16.20.1-8.30.1
- nodejs16-16.20.1-8.30.1
- nodejs16-devel-16.20.1-8.30.1
- nodejs16-debuginfo-16.20.1-8.30.1
-
Web and Scripting Module 12 (noarch)
- nodejs16-docs-16.20.1-8.30.1
References:
- https://www.suse.com/security/cve/CVE-2023-30581.html
- https://www.suse.com/security/cve/CVE-2023-30585.html
- https://www.suse.com/security/cve/CVE-2023-30588.html
- https://www.suse.com/security/cve/CVE-2023-30589.html
- https://www.suse.com/security/cve/CVE-2023-30590.html
- https://www.suse.com/security/cve/CVE-2023-31124.html
- https://www.suse.com/security/cve/CVE-2023-31130.html
- https://www.suse.com/security/cve/CVE-2023-31147.html
- https://www.suse.com/security/cve/CVE-2023-32067.html
- https://bugzilla.suse.com/show_bug.cgi?id=1211407
- https://bugzilla.suse.com/show_bug.cgi?id=1211604
- https://bugzilla.suse.com/show_bug.cgi?id=1211605
- https://bugzilla.suse.com/show_bug.cgi?id=1211606
- https://bugzilla.suse.com/show_bug.cgi?id=1211607
- https://bugzilla.suse.com/show_bug.cgi?id=1212574
- https://bugzilla.suse.com/show_bug.cgi?id=1212579
- https://bugzilla.suse.com/show_bug.cgi?id=1212581
- https://bugzilla.suse.com/show_bug.cgi?id=1212582
- https://bugzilla.suse.com/show_bug.cgi?id=1212583