Lucene search
SuseOPENSUSE-SU-2021:3964-1HistoryDec 07, 2021 - 12:00 a.m.
Security update for nodejs14 (important)
2021-12-0700:00:00
lists.opensuse.org
16
8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
An update that fixes 7 vulnerabilities is now available.
Description:
This update for nodejs14 fixes the following issues:
nodejs14 was updated to 14.18.1:
-
deps: update llhttp to 2.1.4
- HTTP Request Smuggling due to spaced in headers (bsc#1191601,
CVE-2021-22959) - HTTP Request Smuggling when parsing the body (bsc#1191602,
CVE-2021-22960)
- HTTP Request Smuggling due to spaced in headers (bsc#1191601,
Changes in 14.18.0:
* buffer:
+ introduce Blob
+ add base64url encoding option
* child_process:
+ allow options.cwd receive a URL
+ add timeout to spawn and fork
+ allow promisified exec to be cancel
+ add 'overlapped' stdio flag
* dns: add "tries" option to Resolve options
* fs:
+ allow empty string for temp directory prefix
+ allow no-params fsPromises fileHandle read
+ add support for async iterators to fsPromises.writeFile
* http2: add support for sensitive headers
* process: add 'worker' event
* tls: allow reading data into a static buffer
* worker: add setEnvironmentData/getEnvironmentData
Changes in 14.17.6
* deps: upgrade npm to 6.14.15 which fixes a number of security issues
(bsc#1190057, CVE-2021-37701, bsc#1190056, CVE-2021-37712,
bsc#1190055, CVE-2021-37713, bsc#1190054, CVE-2021-39134, bsc#1190053,
CVE-2021-39135)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-3964=1
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| openSUSE Leap | 15.3 | aarch64 | < - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): | - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.aarch64.rpm | |
| openSUSE Leap | 15.3 | ppc64le | < - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): | - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.ppc64le.rpm | |
| openSUSE Leap | 15.3 | s390x | < - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): | - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.s390x.rpm | |
| openSUSE Leap | 15.3 | x86_64 | < - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): | - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):.x86_64.rpm | |
| openSUSE Leap | 15.3 | noarch | < - openSUSE Leap 15.3 (noarch): | - openSUSE Leap 15.3 (noarch):.noarch.rpm |
Related
nessus
nessus
SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2021:3964-1)
2021-12-08 00:00:00
openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:1574-1)
2021-12-17 00:00:00
SUSE SLES15 Security Update : nodejs12 (SUSE-SU-2021:3940-1)
2021-12-07 00:00:00
suse
suse
Security update for nodejs14 (important)
2021-12-10 00:00:00
Security update for nodejs12 (important)
2021-12-06 00:00:00
Security update for nodejs12 (important)
2021-12-12 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2021:3964-1)
2021-12-07 00:00:00
openSUSE: Security Advisory for nodejs14 (openSUSE-SU-2021:3964-1)
2021-12-08 00:00:00
openSUSE: Security Advisory for nodejs14 (openSUSE-SU-2021:1552-1)
2022-02-08 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i
2021-12-12 19:49:25
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 14.17.6-alt1
2021-09-01 00:00:00
Security fix for the ALT Linux 10 package node version 14.18.2-alt1
2021-12-23 00:00:00
nodejsblog
nodejsblog
August 31 2021 Security Releases
2021-08-31 00:00:00
October 12th 2021 Security Releases
2021-10-12 00:00:00
freebsd
freebsd
Node.js -- August 2021 Security Releases (2)
2021-08-31 00:00:00
Node.js -- October 2021 Security Releases
2021-10-12 00:00:00
github
github
GitHub security update: Vulnerabilities in tar and @npmcli/arborist
2021-09-08 16:00:32
@npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following
2021-08-31 16:04:03
redhat
redhat
mageia
mageia
Updated nodejs packages fix security vulnerability
2021-10-06 22:41:56
Updated nodejs packages fix security vulnerability
2021-12-30 19:41:51
Updated nodejs-tar packages fix security vulnerability
2022-03-21 23:18:30
debian
debian
[SECURITY] [DSA 5008-1] node-tar security update
2021-11-11 21:57:59
[SECURITY] [DLA 3237-1] node-tar security update
2022-12-12 14:15:54
[SECURITY] [DSA 5170-1] nodejs security update
2022-06-27 18:43:09
osv
osv
node-tar - security update
2022-12-12 00:00:00
node-tar - security update
2021-11-11 00:00:00
Moderate: nodejs:14 security, bug fix, and enhancement update
2022-02-01 20:08:39
fedora
fedora
[SECURITY] Fedora 35 Update: nodejs-16.11.1-1.fc35
2021-10-29 23:27:03
[SECURITY] Fedora 33 Update: nodejs-14.18.1-1.fc33
2021-10-23 03:25:54
[SECURITY] Fedora 34 Update: nodejs-14.18.1-1.fc34
2021-10-23 03:22:47
archlinux
archlinux
[ASA-202110-4] nodejs: url request injection
2021-10-21 00:00:00
[ASA-202110-6] nodejs-lts-erbium: multiple issues
2021-10-21 00:00:00
[ASA-202110-5] nodejs-lts-fermium: multiple issues
2021-10-21 00:00:00
almalinux
almalinux
Moderate: nodejs:14 security, bug fix, and enhancement update
2022-02-01 20:08:39
Moderate: nodejs:16 security, bug fix, and enhancement update
2021-12-15 19:09:29
oraclelinux
oraclelinux
nodejs:14 security, bug fix, and enhancement update
2022-02-02 00:00:00
nodejs:16 security, bug fix, and enhancement update
2021-12-16 00:00:00
rocky
rocky
nodejs:14 security, bug fix, and enhancement update
2022-02-01 20:08:39
12 bug fix and enhancement update
2022-06-21 11:47:44
nodejs:16 security, bug fix, and enhancement update
2021-12-15 19:09:29
cve
cve
veracode
veracode
Remote Code Execution (RCE)
2021-09-01 02:04:46
Remote Code Execution (RCE)
2021-09-01 03:51:53
Remote Code Execution (RCE)
2021-09-01 02:58:46
prion
prion
Design/Logic Flaw
2021-08-31 17:15:00
Remote code execution
2021-08-31 17:15:00
Code injection
2021-08-31 17:15:00
ubuntucve
ubuntucve
debiancve
debiancve
alpinelinux
alpinelinux
nodejs
nodejs
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
2021-08-31 16:10:27
UNIX Symbolic Link (Symlink) Following
2021-08-31 16:14:40
UNIX Symbolic Link (Symlink) Following
2021-08-31 16:14:31
redhatcve
redhatcve
hackerone
hackerone
Node.js: HTTP Request Smuggling due to accepting space before colon
2021-06-20 11:10:00
Node.js: HTTP Request Smuggling due to ignoring chunk extensions
2021-06-19 08:43:05
8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related for OPENSUSE-SU-2021:3964-1