Описание
Security update for nodejs12
This update for nodejs12 fixes the following issues:
- nodejs12 was updated to 12.18.4 LTS:
- CVE-2020-8201: Fixed an HTTP Request Smuggling due to CR-to-Hyphen conversion (bsc#1176605).
- CVE-2020-8252: Fixed a buffer overflow in realpath (bsc#1176589).
- CVE-2020-15095: Fixed an information leak through log files (bsc#1173937).
- Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation on Aarch64 with gcc10 (bsc#1172686)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Список пакетов
openSUSE Leap 15.2
Ссылки
- E-Mail link for openSUSE-SU-2020:1616-1
- SUSE Security Ratings
- SUSE Bug 1172686
- SUSE Bug 1173937
- SUSE Bug 1176589
- SUSE Bug 1176605
- SUSE CVE CVE-2020-15095 page
- SUSE CVE CVE-2020-8201 page
- SUSE CVE CVE-2020-8252 page
Описание
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files.
Затронутые продукты
Ссылки
- CVE-2020-15095
- SUSE Bug 1173937
Описание
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.
Затронутые продукты
Ссылки
- CVE-2020-8201
- SUSE Bug 1176605
Описание
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
Затронутые продукты
Ссылки
- CVE-2020-8252
- SUSE Bug 1176589