Описание
Security update for nodejs12
This update for nodejs12 fixes the following issues:
nodejs12 was updated to version 12.15.0.
Security issues fixed:
- CVE-2019-15604: Fixed a remotely triggerable assertion in the TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104).
- CVE-2019-15605: Fixed an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102).
- CVE-2019-15606: Fixed the white space sanitation of HTTP headers (CVE-2019-15606, bsc#1163103).
- CVE-2019-16775: Fixed an arbitrary file write vulnerability (bsc#1159352).
- CVE-2019-16776: Fixed an arbitrary file write vulnerability (bsc#1159352).
- CVE-2019-16777: Fixed an arbitrary file write vulnerability (bsc#1159352).
Список пакетов
SUSE Linux Enterprise Module for Web and Scripting 12
Ссылки
- Link for SUSE-SU-2020:0429-1
- E-Mail link for SUSE-SU-2020:0429-1
- SUSE Security Ratings
- SUSE Bug 1159352
- SUSE Bug 1163102
- SUSE Bug 1163103
- SUSE Bug 1163104
- SUSE CVE CVE-2019-15604 page
- SUSE CVE CVE-2019-15605 page
- SUSE CVE CVE-2019-15606 page
- SUSE CVE CVE-2019-16775 page
- SUSE CVE CVE-2019-16776 page
- SUSE CVE CVE-2019-16777 page
Описание
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
Затронутые продукты
Ссылки
- CVE-2019-15604
- SUSE Bug 1163104
Описание
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
Затронутые продукты
Ссылки
- CVE-2019-15605
- SUSE Bug 1163102
Описание
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
Затронутые продукты
Ссылки
- CVE-2019-15606
- SUSE Bug 1163103
Описание
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Затронутые продукты
Ссылки
- CVE-2019-16775
- SUSE Bug 1159352
Описание
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Затронутые продукты
Ссылки
- CVE-2019-16776
- SUSE Bug 1159352
Описание
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Затронутые продукты
Ссылки
- CVE-2019-16777
- SUSE Bug 1159352