Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2020:1576-1

Опубликовано: 09 июн. 2020
Источник: suse-cvrf

Описание

Security update for nodejs8

This update for nodejs8 fixes the following issues:

  • CVE-2020-8174: Fixed multiple memory corruption in napi_get_value_string_*() (bsc#1172443).
  • CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames (bsc#1172442).
  • CVE-2020-7598: Fixed an issue which could have tricked minimist into adding or modifying properties of Object.prototype (bsc#1166916).

Список пакетов

SUSE Linux Enterprise High Performance Computing 15-ESPOS
nodejs8-8.17.0-3.32.1
nodejs8-devel-8.17.0-3.32.1
nodejs8-docs-8.17.0-3.32.1
npm8-8.17.0-3.32.1
SUSE Linux Enterprise High Performance Computing 15-LTSS
nodejs8-8.17.0-3.32.1
nodejs8-devel-8.17.0-3.32.1
nodejs8-docs-8.17.0-3.32.1
npm8-8.17.0-3.32.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP1
nodejs8-8.17.0-3.32.1
nodejs8-devel-8.17.0-3.32.1
nodejs8-docs-8.17.0-3.32.1
npm8-8.17.0-3.32.1
SUSE Linux Enterprise Server 15-LTSS
nodejs8-8.17.0-3.32.1
nodejs8-devel-8.17.0-3.32.1
nodejs8-docs-8.17.0-3.32.1
npm8-8.17.0-3.32.1
SUSE Linux Enterprise Server for SAP Applications 15
nodejs8-8.17.0-3.32.1
nodejs8-devel-8.17.0-3.32.1
nodejs8-docs-8.17.0-3.32.1
npm8-8.17.0-3.32.1

Ссылки

Описание

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Затронутые продукты
SUSE Linux Enterprise High Performance Computing 15-ESPOS:nodejs8-8.17.0-3.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS:nodejs8-devel-8.17.0-3.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS:nodejs8-docs-8.17.0-3.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS:npm8-8.17.0-3.32.1
Ссылки

Описание

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.

Затронутые продукты
SUSE Linux Enterprise High Performance Computing 15-ESPOS:nodejs8-8.17.0-3.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS:nodejs8-devel-8.17.0-3.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS:nodejs8-docs-8.17.0-3.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS:npm8-8.17.0-3.32.1
Ссылки

Описание

napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.

Затронутые продукты
SUSE Linux Enterprise High Performance Computing 15-ESPOS:nodejs8-8.17.0-3.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS:nodejs8-devel-8.17.0-3.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS:nodejs8-docs-8.17.0-3.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS:npm8-8.17.0-3.32.1
Ссылки