Security update for nodejs8 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0802-1 Final 1 1 2020-06-12T18:17:49Z current 2020-06-12T18:17:49Z 2020-06-12T18:17:49Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs8 This update for nodejs8 fixes the following issues: - CVE-2020-8174: Fixed multiple memory corruption in napi_get_value_string_*() (bsc#1172443). - CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames (bsc#1172442). - CVE-2020-7598: Fixed an issue which could have tricked minimist into adding or modifying properties of Object.prototype (bsc#1166916). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-802 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RQM2VNI6BXE7OOJSD4OI2KDH2ZTRUUCD/ E-Mail link for openSUSE-SU-2020:0802-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1166916 SUSE Bug 1166916 https://bugzilla.suse.com/1172442 SUSE Bug 1172442 https://bugzilla.suse.com/1172443 SUSE Bug 1172443 https://www.suse.com/security/cve/CVE-2020-11080/ SUSE CVE CVE-2020-11080 page https://www.suse.com/security/cve/CVE-2020-7598/ SUSE CVE CVE-2020-7598 page https://www.suse.com/security/cve/CVE-2020-8174/ SUSE CVE CVE-2020-8174 page openSUSE Leap 15.1 nodejs8-8.17.0-lp151.2.15.1 nodejs8-devel-8.17.0-lp151.2.15.1 nodejs8-docs-8.17.0-lp151.2.15.1 npm8-8.17.0-lp151.2.15.1 nodejs8-8.17.0-lp151.2.15.1 as a component of openSUSE Leap 15.1 nodejs8-devel-8.17.0-lp151.2.15.1 as a component of openSUSE Leap 15.1 nodejs8-docs-8.17.0-lp151.2.15.1 as a component of openSUSE Leap 15.1 npm8-8.17.0-lp151.2.15.1 as a component of openSUSE Leap 15.1 In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. CVE-2020-11080 openSUSE Leap 15.1:nodejs8-8.17.0-lp151.2.15.1 openSUSE Leap 15.1:nodejs8-devel-8.17.0-lp151.2.15.1 openSUSE Leap 15.1:nodejs8-docs-8.17.0-lp151.2.15.1 openSUSE Leap 15.1:npm8-8.17.0-lp151.2.15.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RQM2VNI6BXE7OOJSD4OI2KDH2ZTRUUCD/ https://www.suse.com/security/cve/CVE-2020-11080.html CVE-2020-11080 https://bugzilla.suse.com/1172441 SUSE Bug 1172441 https://bugzilla.suse.com/1172442 SUSE Bug 1172442 https://bugzilla.suse.com/1181358 SUSE Bug 1181358 minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload. CVE-2020-7598 openSUSE Leap 15.1:nodejs8-8.17.0-lp151.2.15.1 openSUSE Leap 15.1:nodejs8-devel-8.17.0-lp151.2.15.1 openSUSE Leap 15.1:nodejs8-docs-8.17.0-lp151.2.15.1 openSUSE Leap 15.1:npm8-8.17.0-lp151.2.15.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RQM2VNI6BXE7OOJSD4OI2KDH2ZTRUUCD/ https://www.suse.com/security/cve/CVE-2020-7598.html CVE-2020-7598 https://bugzilla.suse.com/1166916 SUSE Bug 1166916 napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. CVE-2020-8174 openSUSE Leap 15.1:nodejs8-8.17.0-lp151.2.15.1 openSUSE Leap 15.1:nodejs8-devel-8.17.0-lp151.2.15.1 openSUSE Leap 15.1:nodejs8-docs-8.17.0-lp151.2.15.1 openSUSE Leap 15.1:npm8-8.17.0-lp151.2.15.1 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RQM2VNI6BXE7OOJSD4OI2KDH2ZTRUUCD/ https://www.suse.com/security/cve/CVE-2020-8174.html CVE-2020-8174 https://bugzilla.suse.com/1172443 SUSE Bug 1172443