Описание
Security update for nodejs18
This update for nodejs18 fixes the following issues:
Update to 18.20.1
Security fixes:
- CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::~Http2Session() that could lead to HTTP/2 server crash (bsc#1222244)
- CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscation (bsc#1222384)
- CVE-2024-30260: Fixed proxy-authorization header not cleared on cross-origin redirect in undici (bsc#1222530)
- CVE-2024-30261: Fixed fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect in undici (bsc#1222603)
- CVE-2024-24806: Fixed improper domain lookup that potentially leads to SSRF attacks in libuv (bsc#1220053)
Список пакетов
Container bci/node:18
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
SUSE Linux Enterprise Module for Web and Scripting 15 SP5
SUSE Linux Enterprise Server 15 SP4-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Manager Server 4.3
openSUSE Leap 15.5
Ссылки
- Link for SUSE-SU-2024:1309-1
- E-Mail link for SUSE-SU-2024:1309-1
- SUSE Security Ratings
- SUSE Bug 1220053
- SUSE Bug 1222244
- SUSE Bug 1222384
- SUSE Bug 1222530
- SUSE Bug 1222603
- SUSE CVE CVE-2024-24806 page
- SUSE CVE CVE-2024-27982 page
- SUSE CVE CVE-2024-27983 page
- SUSE CVE CVE-2024-30260 page
- SUSE CVE CVE-2024-30261 page
Описание
libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Затронутые продукты
Ссылки
- CVE-2024-24806
- SUSE Bug 1219724
- SUSE Bug 1220056
Описание
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
Затронутые продукты
Ссылки
- CVE-2024-27982
- SUSE Bug 1222384
Описание
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Затронутые продукты
Ссылки
- CVE-2024-27983
- SUSE Bug 1222244
Описание
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Затронутые продукты
Ссылки
- CVE-2024-30260
- SUSE Bug 1222530
Описание
Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
Затронутые продукты
Ссылки
- CVE-2024-30261
- SUSE Bug 1222603