[SECURITY] Fedora 39 Update: nodejs20-20.12.2-1.fc39

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2024:1355-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1355-1 advisory. - The team has identified a vulnerability in the http server of the most recent version of Node, where malformed headers can lead t...

Fedora 39 : nodejs20 (2024-e28ccc9c17)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-e28ccc9c17 advisory. 2024-04-03, Version 20.12.1 'Iron' LTS, @RafaelGSS This is a security release Notable Changes CVE-2024-27983 - Assertion failed in...

Fedora 39 : nodejs18 (2024-8d548b8c96)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-8d548b8c96 advisory. 2024-04-10, Version 18.20.2 'Hydrogen' LTS, @RafaelGSS This is a security release. Notable Changes CVE-2024-27980 - Command injection via args parameter of...

Fedora 39 : llhttp / python-aiohttp / uxplay (2024-f83b123d63)

The remote Fedora 39 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2024-f83b123d63 advisory. Update llhttp to 9.2.1, fixing CVE-2024-27982. Additionally, llhttp 9.2.0 contained a number of bug fixes. Backport llhttp 9.2.1 support to python-aiohttp...

Fedora 38 : llhttp / python-aiohttp / uxplay (2024-5dc487ee89)

The remote Fedora 38 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2024-5dc487ee89 advisory. Update llhttp to 9.2.1, fixing CVE-2024-27982. Additionally, llhttp 9.2.0 contained a number of bug fixes. Backport llhttp 9.2.1 support to python-aiohttp...

[SECURITY] Fedora 40 Update: nodejs18-18.20.2-1.fc40

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

[SECURITY] Fedora 40 Update: nodejs20-20.12.2-1.fc40

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

[SECURITY] Fedora 40 Update: nodejs-undici-6.11.1-2.fc40

An HTTP/1.1 client, written from scratch for Node.js...

Node.js: fs.fchown/fchmod bypasses permission model

A vulnerability was identified in Node.js that affected users of the experimental permission model when the --allow-fs-write flag was used. The vulnerability allowed operations such as fs.fchown or fs.fchmod to be used with a "read-only" file descriptor to change the owner and permissions of a...

CVE-2024-32652

The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty...

CVE-2024-32652 @hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed

The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty...

CVE-2024-32652 @hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed

The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty...

Oracle Java (Apr 2024 CPU)

The 8u401, 20.3.13, 21.3.9, 11.0.23, 17.0.10, 21.0.3, 22, and perf versions of Java installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2024 CPU advisory. - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java S...

EulerOS Virtualization 2.10.1 : libssh2 (EulerOS-SA-2024-1548)

According to the versions of the libssh2 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attacke...

PT-2024-5137 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: Node.js affected versions not specified Description: The issue is related to the Permission Model in Node.js, which incorrectly assumes that any path starting with two backslashes has a four-character prefix that can be ignored. This subtle b...

Node.js 18.x < 18.20.2 / 20.x < 20.12.2 / 21.x < 21.7.3 Multiple Vulnerabilities (Wednesday, April 10, 2024 Security Releases).

The version of Node.js installed on the remote host is prior to 18.20.2, 20.12.2, 21.7.3. It is, therefore, affected by multiple vulnerabilities as referenced in the Wednesday, April 10, 2024 Security Releases advisory. - Due to the improper handling of batch files in childprocess.spawn /...

Node.js 18.x < 18.20.2 / 20.x < 20.12.2 / 21.x < 21.7.3 Command Injection Vulnerability (Wednesday, April 10, 2024 Security Releases).

The version of Node.js installed on the remote host is prior to 18.20.2, 20.12.2, 21.7.3. It is, therefore, affected by a command injection vulnerability as referenced in the Wednesday, April 10, 2024 Security Releases advisory. This is due to the improper handling of batch files in...

PT-2024-5138

Name of the Vulnerable Software and Affected Versions: Node.js affected versions not specified Description: A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on...

nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...