Описание
Security update for nodejs20
This update for nodejs20 fixes the following issues:
- CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency (bsc#1233856)
Other fixes:
- Updated to 20.18.1:
- Experimental Network Inspection Support in Node.js
- Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext
- New option for vm.createContext() to create a context with a freezable globalThis
- buffer: optimize createFromString
- Changes in 20.17.0:
- module: support require()ing synchronous ESM graphs
- path: add matchesGlob method
- stream: expose DuplexPair API
- Changes in 20.16.0:
- process: add process.getBuiltinModule(id)
- inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth
- buffer: add .bytes() method to Blob
Список пакетов
SUSE Linux Enterprise Module for Web and Scripting 15 SP5
nodejs20-20.18.1-150500.11.15.1
nodejs20-devel-20.18.1-150500.11.15.1
nodejs20-docs-20.18.1-150500.11.15.1
npm20-20.18.1-150500.11.15.1
openSUSE Leap 15.5
corepack20-20.18.1-150500.11.15.1
nodejs20-20.18.1-150500.11.15.1
nodejs20-devel-20.18.1-150500.11.15.1
nodejs20-docs-20.18.1-150500.11.15.1
npm20-20.18.1-150500.11.15.1
Ссылки
- Link for SUSE-SU-2024:4300-1
- E-Mail link for SUSE-SU-2024:4300-1
- SUSE Security Ratings
- SUSE Bug 1233856
- SUSE CVE CVE-2024-21538 page
Описание
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Затронутые продукты
SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs20-20.18.1-150500.11.15.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs20-devel-20.18.1-150500.11.15.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs20-docs-20.18.1-150500.11.15.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP5:npm20-20.18.1-150500.11.15.1
Ссылки
- CVE-2024-21538
- SUSE Bug 1233843