SUSE-SU-2022:3614-1

Опубликовано: 18 окт. 2022

Источник: suse-cvrf

Описание

Security update for nodejs14

This update for nodejs14 fixes the following issues:

Updated to version 14.20.1:

CVE-2022-32213: Fixed bypass via obs-fold mechanic (bsc#1201325).
CVE-2022-35256: Fixed incorrect Parsing of Header Fields (bsc#1203832).

Список пакетов

Container bci/node:14

nodejs14-14.20.1-150200.15.37.1

npm14-14.20.1-150200.15.37.1

SUSE Linux Enterprise Module for Web and Scripting 15 SP3

nodejs14-14.20.1-150200.15.37.1

nodejs14-devel-14.20.1-150200.15.37.1

nodejs14-docs-14.20.1-150200.15.37.1

npm14-14.20.1-150200.15.37.1

openSUSE Leap 15.3

nodejs14-14.20.1-150200.15.37.1

nodejs14-devel-14.20.1-150200.15.37.1

nodejs14-docs-14.20.1-150200.15.37.1

npm14-14.20.1-150200.15.37.1

openSUSE Leap 15.4

corepack14-14.20.1-150200.15.37.1

nodejs14-14.20.1-150200.15.37.1

nodejs14-devel-14.20.1-150200.15.37.1

nodejs14-docs-14.20.1-150200.15.37.1

npm14-14.20.1-150200.15.37.1

Ссылки

https://www.suse.com/support/update/announcement/2022/suse-su-20223614-1/
Link for SUSE-SU-2022:3614-1
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012558.html
E-Mail link for SUSE-SU-2022:3614-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1201325
SUSE Bug 1201325
https://bugzilla.suse.com/1203832
SUSE Bug 1203832
https://www.suse.com/security/cve/CVE-2022-32213/
SUSE CVE CVE-2022-32213 page
https://www.suse.com/security/cve/CVE-2022-35256/
SUSE CVE CVE-2022-35256 page

Описание

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

Затронутые продукты

Container bci/node:14:nodejs14-14.20.1-150200.15.37.1

Container bci/node:14:npm14-14.20.1-150200.15.37.1

SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs14-14.20.1-150200.15.37.1

SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs14-devel-14.20.1-150200.15.37.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-32213.html
CVE-2022-32213
https://bugzilla.suse.com/1201325
SUSE Bug 1201325

Описание

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Затронутые продукты

Container bci/node:14:nodejs14-14.20.1-150200.15.37.1

Container bci/node:14:npm14-14.20.1-150200.15.37.1

SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs14-14.20.1-150200.15.37.1

SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs14-devel-14.20.1-150200.15.37.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-35256.html
CVE-2022-35256
https://bugzilla.suse.com/1203832
SUSE Bug 1203832

SUSE-SU-2022:3614-1

Описание

Список пакетов

Container bci/node:14

SUSE Linux Enterprise Module for Web and Scripting 15 SP3

openSUSE Leap 15.3

openSUSE Leap 15.4

Ссылки

Уязвимость: CVE-2022-32213

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2022-35256

Описание

Затронутые продукты

Ссылки