Описание
Security update for nodejs16
This update for nodejs16 fixes the following issues:
- CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::~Http2Session() that could lead to HTTP/2 server crash (bsc#1222244)
- CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscation (bsc#1222384)
Список пакетов
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
SUSE Linux Enterprise Server 15 SP4-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Manager Server 4.3
Ссылки
- Link for SUSE-SU-2024:1308-1
- E-Mail link for SUSE-SU-2024:1308-1
- SUSE Security Ratings
- SUSE Bug 1222244
- SUSE Bug 1222384
- SUSE CVE CVE-2024-27982 page
- SUSE CVE CVE-2024-27983 page
Описание
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
Затронутые продукты
Ссылки
- CVE-2024-27982
- SUSE Bug 1222384
Описание
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Затронутые продукты
Ссылки
- CVE-2024-27983
- SUSE Bug 1222244