Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2020:2800-1

Опубликовано: 30 сент. 2020
Источник: suse-cvrf

Описание

Security update for nodejs8

This update for nodejs8 fixes the following issues:

  • CVE-2020-8174: Fixed multiple memory corruption in napi_get_value_string_*() (bsc#1172443).
  • CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames (bsc#1172442).
  • CVE-2020-7598: Fixed an issue which could have tricked minimist into adding or modifying properties of Object.prototype (bsc#1166916)
  • CVE-2020-15095: Fixed information leak through log files (bsc#1173937).
  • Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation on Aarch64 with gcc10 (bsc#1172686).
  • Add Require for nodejs8 when intalling npm8 (bsc#1172728)

Список пакетов

SUSE Linux Enterprise Module for Web and Scripting 15 SP2
nodejs8-8.17.0-10.3.1
nodejs8-devel-8.17.0-10.3.1
nodejs8-docs-8.17.0-10.3.1
npm8-8.17.0-10.3.1

Ссылки

Описание

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-devel-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-docs-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:npm8-8.17.0-10.3.1
Ссылки

Описание

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-devel-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-docs-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:npm8-8.17.0-10.3.1
Ссылки

Описание

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-devel-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-docs-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:npm8-8.17.0-10.3.1
Ссылки

Описание

napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-devel-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-docs-8.17.0-10.3.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:npm8-8.17.0-10.3.1
Ссылки