Описание
Security update for nodejs14
This update for nodejs14 fixes the following issues:
Updated to version 14.20.1:
- CVE-2022-32213: Fixed bypass via obs-fold mechanic (bsc#1201325).
- CVE-2022-35256: Fixed incorrect Parsing of Header Fields (bsc#1203832).
Список пакетов
SUSE Linux Enterprise Module for Web and Scripting 12
nodejs14-14.20.1-6.34.1
nodejs14-devel-14.20.1-6.34.1
nodejs14-docs-14.20.1-6.34.1
npm14-14.20.1-6.34.1
Ссылки
- Link for SUSE-SU-2022:3516-1
- E-Mail link for SUSE-SU-2022:3516-1
- SUSE Security Ratings
- SUSE Bug 1201325
- SUSE Bug 1203832
- SUSE CVE CVE-2022-32213 page
- SUSE CVE CVE-2022-35256 page
Описание
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-14.20.1-6.34.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-devel-14.20.1-6.34.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-docs-14.20.1-6.34.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm14-14.20.1-6.34.1
Ссылки
- CVE-2022-32213
- SUSE Bug 1201325
Описание
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-14.20.1-6.34.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-devel-14.20.1-6.34.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs14-docs-14.20.1-6.34.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm14-14.20.1-6.34.1
Ссылки
- CVE-2022-35256
- SUSE Bug 1203832