Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2021:1060-1

Опубликовано: 19 июл. 2021
Источник: suse-cvrf

Описание

Security update for nodejs14

This update for nodejs14 fixes the following issues:

Update nodejs14 to 14.17.2.

Including fixes for:

  • CVE-2021-22918: libuv upgrade - Out of bounds read (bsc#1187973)
  • CVE-2021-27290: ssri Regular Expression Denial of Service (bsc#1187976)
  • CVE-2021-23362: hosted-git-info Regular Expression Denial of Service (bsc#1187977)
  • CVE-2020-7774: y18n Prototype Pollution (bsc#1184450)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Список пакетов

openSUSE Leap 15.2
nodejs14-14.17.2-lp152.11.1
nodejs14-devel-14.17.2-lp152.11.1
nodejs14-docs-14.17.2-lp152.11.1
npm14-14.17.2-lp152.11.1

Ссылки

Описание

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Затронутые продукты
openSUSE Leap 15.2:nodejs14-14.17.2-lp152.11.1
openSUSE Leap 15.2:nodejs14-devel-14.17.2-lp152.11.1
openSUSE Leap 15.2:nodejs14-docs-14.17.2-lp152.11.1
openSUSE Leap 15.2:npm14-14.17.2-lp152.11.1
Ссылки

Описание

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Затронутые продукты
openSUSE Leap 15.2:nodejs14-14.17.2-lp152.11.1
openSUSE Leap 15.2:nodejs14-devel-14.17.2-lp152.11.1
openSUSE Leap 15.2:nodejs14-docs-14.17.2-lp152.11.1
openSUSE Leap 15.2:npm14-14.17.2-lp152.11.1
Ссылки

Описание

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.

Затронутые продукты
openSUSE Leap 15.2:nodejs14-14.17.2-lp152.11.1
openSUSE Leap 15.2:nodejs14-devel-14.17.2-lp152.11.1
openSUSE Leap 15.2:nodejs14-docs-14.17.2-lp152.11.1
openSUSE Leap 15.2:npm14-14.17.2-lp152.11.1
Ссылки

Описание

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Затронутые продукты
openSUSE Leap 15.2:nodejs14-14.17.2-lp152.11.1
openSUSE Leap 15.2:nodejs14-devel-14.17.2-lp152.11.1
openSUSE Leap 15.2:nodejs14-docs-14.17.2-lp152.11.1
openSUSE Leap 15.2:npm14-14.17.2-lp152.11.1
Ссылки
Уязвимость openSUSE-SU-2021:1060-1