Описание
Security update for nodejs8
This update for nodejs8 fixes the following issues:
- update to npm 6.14.13
- CVE-2021-27290: Fixed ssri Regular Expression Denial of Service. (bsc#1187976)
- CVE-2021-23362: Fixed hosted-git-info Regular Expression Denial of Service. (bsc#1187977)
- CVE-2020-7774: fixes y18n Prototype Pollution. (bsc#1184450)
Список пакетов
SUSE Linux Enterprise Module for Web and Scripting 15 SP2
nodejs8-8.17.0-10.12.2
nodejs8-devel-8.17.0-10.12.2
nodejs8-docs-8.17.0-10.12.2
npm8-8.17.0-10.12.2
Ссылки
- Link for SUSE-SU-2021:2618-1
- E-Mail link for SUSE-SU-2021:2618-1
- SUSE Security Ratings
- SUSE Bug 1184450
- SUSE Bug 1187976
- SUSE Bug 1187977
- SUSE CVE CVE-2020-7774 page
- SUSE CVE CVE-2021-23362 page
- SUSE CVE CVE-2021-27290 page
Описание
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-8.17.0-10.12.2
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-devel-8.17.0-10.12.2
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-docs-8.17.0-10.12.2
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:npm8-8.17.0-10.12.2
Ссылки
- CVE-2020-7774
- SUSE Bug 1184450
Описание
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-8.17.0-10.12.2
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-devel-8.17.0-10.12.2
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-docs-8.17.0-10.12.2
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:npm8-8.17.0-10.12.2
Ссылки
- CVE-2021-23362
- SUSE Bug 1187977
Описание
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-8.17.0-10.12.2
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-devel-8.17.0-10.12.2
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:nodejs8-docs-8.17.0-10.12.2
SUSE Linux Enterprise Module for Web and Scripting 15 SP2:npm8-8.17.0-10.12.2
Ссылки
- CVE-2021-27290
- SUSE Bug 1187976