Описание
Security update for nodejs18
This update for nodejs18 fixes the following issues:
This update ships nodejs18 (jsc#PED-2097)
Update to NodejJS 18.13.0 LTS:
-
build: disable v8 snapshot compression by default
-
crypto: update root certificates
-
deps: update ICU to 72.1
-
doc:
- add doc-only deprecation for headers/trailers setters
- add Rafael to the tsc
- deprecate use of invalid ports in url.parse
- deprecate url.parse()
-
lib: drop fetch experimental warning
-
net: add autoSelectFamily and autoSelectFamilyAttemptTimeout options
-
src:
- add uvwasi version
- add initial shadow realm support
-
test_runner:
- add t.after() hook
- don't use a symbol for runHook()
-
tls:
- add 'ca' property to certificate object
-
util:
- add fast path for utf8 encoding
- improve textdecoder decode performance
- add MIME utilities
- Fixes compatibility with ICU 72.1 (bsc#1205236)
- Fix migration to openssl-3 (bsc#1205042)
Update to NodeJS 18.12.1 LTS:
- inspector: DNS rebinding in --inspect via invalid octal IP (bsc#1205119, CVE-2022-43548)
Update to NodeJS 18.12.0 LTS:
- Running in 'watch' mode using node --watch restarts the process when an imported file is changed.
- fs: add FileHandle.prototype.readLines
- http: add writeEarlyHints function to ServerResponse
- http2: make early hints generic
- util: add default value option to parsearg
Update to NodeJS 18.11.0:
- added experimental watch mode -- running in 'watch' mode using node --watch restarts the process when an imported file is changed
- fs: add FileHandle.prototype.readLines
- http: add writeEarlyHints function to ServerResponse
- http2: make early hints generic
- lib: refactor transferable AbortSignal
- src: add detailed embedder process initialization API
- util: add default value option to parsearg
Update to NodeJS 18.10.0:
- deps: upgrade npm to 8.19.2
- http: throw error on content-length mismatch
- stream: add ReadableByteStream.tee()
Update to Nodejs 18.9.1:
-
deps: llhttp updated to 6.0.10
- CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325)
- Incorrect Parsing of Multi-line Transfer-Encoding (CVE-2022-32215, bsc#1201327)
- Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832)
-
crypto: fix weak randomness in WebCrypto keygen (CVE-2022-35255, bsc#1203831)
Update to Nodejs 18.9.0:
- lib - add diagnostics channel for process and worker
- os - add machine method
- report - expose report public native apis
- src - expose environment RequestInterrupt api
- vm - include vm context in the embedded snapshot
Changes in 18.8.0:
- bootstrap: implement run-time user-land snapshots via --build-snapshot and --snapshot-blob. See
- crypto:
- allow zero-length IKM in HKDF and in webcrypto PBKDF2
- allow zero-length secret KeyObject
- deps: upgrade npm to 8.18.0
- http: make idle http parser count configurable
- net: add local family
- src: print source map error source on demand
- tls: pass a valid socket on tlsClientError
Update to Nodejs 18.7.0:
- events: add CustomEvent
- http: add drop request event for http server
- lib: improved diagnostics_channel subscribe/unsubscribe
- util: add tokens to parseArgs
- enable crypto policy ciphers for TW and SLE15 SP4+ (bsc#1200303)
Update to Nodejs 18.6.0:
- Experimental ESM Loader Hooks API. For details see, https://nodejs.org/api/esm.html
- dns: export error code constants from dns/promises
- esm: add chaining to loaders
- http: add diagnostics channel for http client
- http: add perf_hooks detail for http request and client
- module: add isBuiltIn method
- net: add drop event for net server
- test_runner: expose describe and it
- v8: add v8.startupSnapshot utils
For details, see https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.6.0
Update to Nodejs 18.5.0:
- http: stricter Transfer-Encoding and header separator parsing (bsc#1201325, bsc#1201326, bsc#1201327, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215)
- src: fix IPv4 validation in inspector_socket (bsc#1201328, CVE-2022-32212)
For details, see https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.5.0
Update to Nodejs 18.4.0. For detailed changes see,
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.4.0
Initial packaging of Nodejs 18.2.0. For detailed changes since previous versions, see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V18.md#18.2.0
Список пакетов
Container bci/node:18
Container bci/nodejs:latest
SUSE Linux Enterprise Module for Web and Scripting 15 SP4
openSUSE Leap 15.4
openSUSE Leap 15.5
Ссылки
- Link for SUSE-SU-2023:0419-1
- E-Mail link for SUSE-SU-2023:0419-1
- SUSE Security Ratings
- SUSE Bug 1200303
- SUSE Bug 1201325
- SUSE Bug 1201326
- SUSE Bug 1201327
- SUSE Bug 1201328
- SUSE Bug 1203831
- SUSE Bug 1203832
- SUSE Bug 1205042
- SUSE Bug 1205119
- SUSE Bug 1205236
- SUSE CVE CVE-2022-32212 page
- SUSE CVE CVE-2022-32213 page
- SUSE CVE CVE-2022-32214 page
- SUSE CVE CVE-2022-32215 page
- SUSE CVE CVE-2022-35255 page
- SUSE CVE CVE-2022-35256 page
- SUSE CVE CVE-2022-43548 page
Описание
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
Затронутые продукты
Ссылки
- CVE-2022-32212
- SUSE Bug 1201328
Описание
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
Затронутые продукты
Ссылки
- CVE-2022-32213
- SUSE Bug 1201325
Описание
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
Затронутые продукты
Ссылки
- CVE-2022-32214
- SUSE Bug 1201326
Описание
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
Затронутые продукты
Ссылки
- CVE-2022-32215
- SUSE Bug 1201327
Описание
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.
Затронутые продукты
Ссылки
- CVE-2022-35255
- SUSE Bug 1203831
Описание
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Затронутые продукты
Ссылки
- CVE-2022-35256
- SUSE Bug 1203832
Описание
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
Затронутые продукты
Ссылки
- CVE-2022-43548
- SUSE Bug 1205119