Описание
Security update for nodejs10
This update for nodejs10 fixes the following issues:
- CVE-2021-22930, CVE-2021-22940: Fixed two memory corruption issues during HTTP/2 stream cancellation (bsc#1188917, bsc#1189368).
- CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2021-22960, CVE-2021-22959: Fixed multiple HTTP request smuggling issues in the underlying HTTP parser (bsc#1201325, bsc#1201326, bsc#1201327, bsc#1191602, bsc#1191601).
- CVE-2022-32212: Fixed a DNS rebinding issue caused by improper IPv4 validation (bsc#1201328).
Список пакетов
SUSE Enterprise Storage 6
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 7
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-LTSS
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15 SP1-BCL
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15 SP1-LTSS
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15 SP2-BCL
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15 SP2-LTSS
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-LTSS
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP Applications 15
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Manager Proxy 4.1
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Manager Retail Branch Server 4.1
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
SUSE Manager Server 4.1
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
openSUSE Leap 15.3
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
openSUSE Leap 15.4
nodejs10-10.24.1-150000.1.47.1
nodejs10-devel-10.24.1-150000.1.47.1
nodejs10-docs-10.24.1-150000.1.47.1
npm10-10.24.1-150000.1.47.1
Ссылки
- Link for SUSE-SU-2022:2855-1
- E-Mail link for SUSE-SU-2022:2855-1
- SUSE Security Ratings
- SUSE Bug 1188917
- SUSE Bug 1189368
- SUSE Bug 1191601
- SUSE Bug 1191602
- SUSE Bug 1201325
- SUSE Bug 1201326
- SUSE Bug 1201327
- SUSE Bug 1201328
- SUSE CVE CVE-2021-22930 page
- SUSE CVE CVE-2021-22940 page
- SUSE CVE CVE-2021-22959 page
- SUSE CVE CVE-2021-22960 page
- SUSE CVE CVE-2022-32212 page
- SUSE CVE CVE-2022-32213 page
- SUSE CVE CVE-2022-32214 page
- SUSE CVE CVE-2022-32215 page
Описание
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
Затронутые продукты
SUSE Enterprise Storage 6:nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-devel-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-docs-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:npm10-10.24.1-150000.1.47.1
Ссылки
- CVE-2021-22930
- SUSE Bug 1188917
- SUSE Bug 1189368
Описание
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
Затронутые продукты
SUSE Enterprise Storage 6:nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-devel-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-docs-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:npm10-10.24.1-150000.1.47.1
Ссылки
- CVE-2021-22940
- SUSE Bug 1189368
Описание
The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
Затронутые продукты
SUSE Enterprise Storage 6:nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-devel-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-docs-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:npm10-10.24.1-150000.1.47.1
Ссылки
- CVE-2021-22959
- SUSE Bug 1191601
Описание
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
Затронутые продукты
SUSE Enterprise Storage 6:nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-devel-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-docs-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:npm10-10.24.1-150000.1.47.1
Ссылки
- CVE-2021-22960
- SUSE Bug 1191602
Описание
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
Затронутые продукты
SUSE Enterprise Storage 6:nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-devel-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-docs-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:npm10-10.24.1-150000.1.47.1
Ссылки
- CVE-2022-32212
- SUSE Bug 1201328
Описание
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
Затронутые продукты
SUSE Enterprise Storage 6:nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-devel-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-docs-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:npm10-10.24.1-150000.1.47.1
Ссылки
- CVE-2022-32213
- SUSE Bug 1201325
Описание
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
Затронутые продукты
SUSE Enterprise Storage 6:nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-devel-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-docs-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:npm10-10.24.1-150000.1.47.1
Ссылки
- CVE-2022-32214
- SUSE Bug 1201326
Описание
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
Затронутые продукты
SUSE Enterprise Storage 6:nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-devel-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:nodejs10-docs-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6:npm10-10.24.1-150000.1.47.1
Ссылки
- CVE-2022-32215
- SUSE Bug 1201327