Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2022:3524-1

Опубликовано: 05 окт. 2022
Источник: suse-cvrf

Описание

Security update for nodejs16

This update for nodejs16 fixes the following issues:

Updated to version 16.17.1:

  • CVE-2022-32213: Fixed bypass via obs-fold mechanic (bsc#1201325).
  • CVE-2022-32215: Fixed incorrect Parsing of Multi-line Transfer-Encoding (bsc#1201327).
  • CVE-2022-35256: Fixed incorrect Parsing of Header Fields (bsc#1203832).
  • CVE-2022-35255: FIxed weak randomness in WebCrypto keygen (bsc#1203831).

Список пакетов

SUSE Linux Enterprise Module for Web and Scripting 12
nodejs16-16.17.1-8.12.1
nodejs16-devel-16.17.1-8.12.1
nodejs16-docs-16.17.1-8.12.1
npm16-16.17.1-8.12.1

Ссылки

Описание

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-devel-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-docs-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm16-16.17.1-8.12.1
Ссылки

Описание

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-devel-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-docs-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm16-16.17.1-8.12.1
Ссылки

Описание

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-devel-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-docs-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm16-16.17.1-8.12.1
Ссылки

Описание

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-devel-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:nodejs16-docs-16.17.1-8.12.1
SUSE Linux Enterprise Module for Web and Scripting 12:npm16-16.17.1-8.12.1
Ссылки