Описание
Security update for nodejs14
This update for nodejs14 fixes the following issues:
Update nodejs14 to 14.17.2.
Including fixes for:
- CVE-2021-22918: libuv upgrade - Out of bounds read (bsc#1187973)
- CVE-2021-27290: ssri Regular Expression Denial of Service (bsc#1187976)
- CVE-2021-23362: hosted-git-info Regular Expression Denial of Service (bsc#1187977)
- CVE-2020-7774: y18n Prototype Pollution (bsc#1184450)
Список пакетов
openSUSE Leap 15.3
Ссылки
- E-Mail link for openSUSE-SU-2021:2354-1
- SUSE Security Ratings
- SUSE Bug 1184450
- SUSE Bug 1187973
- SUSE Bug 1187976
- SUSE Bug 1187977
- SUSE CVE CVE-2020-7774 page
- SUSE CVE CVE-2021-22918 page
- SUSE CVE CVE-2021-23362 page
- SUSE CVE CVE-2021-27290 page
Описание
The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.
Затронутые продукты
Ссылки
- CVE-2020-7774
- SUSE Bug 1184450
Описание
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().
Затронутые продукты
Ссылки
- CVE-2021-22918
- SUSE Bug 1187973
Описание
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
Затронутые продукты
Ссылки
- CVE-2021-23362
- SUSE Bug 1187977
Описание
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Затронутые продукты
Ссылки
- CVE-2021-27290
- SUSE Bug 1187976