Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2020:1606-1

Опубликовано: 11 июн. 2020
Источник: suse-cvrf

Описание

Security update for nodejs12

This update for nodejs12 fixes the following issues:

nodejs12 was updated to version 12.18.0

  • CVE-2020-8174: Fixed multiple memory corruption in napi_get_value_string_*() (bsc#1172443).
  • CVE-2020-8172: Fixed am issue where TLS session reuse could have led to host certificate verification bypass (bsc#1172441).
  • CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames (bsc#1172442).

npm was updated to 6.13.6

  • CVE-2020-7598: Fixed an issue which could have tricked minimist into adding or modifying properties of Object.prototype (bsc#1166916).

Список пакетов

SUSE Linux Enterprise Module for Web and Scripting 12
nodejs12-12.18.0-1.14.1
nodejs12-devel-12.18.0-1.14.1
nodejs12-docs-12.18.0-1.14.1
npm12-12.18.0-1.14.1

Ссылки

Описание

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-devel-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-docs-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm12-12.18.0-1.14.1
Ссылки

Описание

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-devel-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-docs-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm12-12.18.0-1.14.1
Ссылки

Описание

TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-devel-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-docs-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm12-12.18.0-1.14.1
Ссылки

Описание

napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-devel-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-docs-12.18.0-1.14.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm12-12.18.0-1.14.1
Ссылки
Уязвимость SUSE-SU-2020:1606-1