Security update for nodejs14 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:2354-1 Final 1 1 2021-07-15T13:19:02Z current 2021-07-15T13:19:02Z 2021-07-15T13:19:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs14 This update for nodejs14 fixes the following issues: Update nodejs14 to 14.17.2. Including fixes for: - CVE-2021-22918: libuv upgrade - Out of bounds read (bsc#1187973) - CVE-2021-27290: ssri Regular Expression Denial of Service (bsc#1187976) - CVE-2021-23362: hosted-git-info Regular Expression Denial of Service (bsc#1187977) - CVE-2020-7774: y18n Prototype Pollution (bsc#1184450) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-2354 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DYHLAI3M6J7NTEFF5DUEXHFHPTDMGRCD/ E-Mail link for openSUSE-SU-2021:2354-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1184450 SUSE Bug 1184450 https://bugzilla.suse.com/1187973 SUSE Bug 1187973 https://bugzilla.suse.com/1187976 SUSE Bug 1187976 https://bugzilla.suse.com/1187977 SUSE Bug 1187977 https://www.suse.com/security/cve/CVE-2020-7774/ SUSE CVE CVE-2020-7774 page https://www.suse.com/security/cve/CVE-2021-22918/ SUSE CVE CVE-2021-22918 page https://www.suse.com/security/cve/CVE-2021-23362/ SUSE CVE CVE-2021-23362 page https://www.suse.com/security/cve/CVE-2021-27290/ SUSE CVE CVE-2021-27290 page openSUSE Leap 15.3 nodejs14-14.17.2-5.12.1 nodejs14-devel-14.17.2-5.12.1 nodejs14-docs-14.17.2-5.12.1 npm14-14.17.2-5.12.1 nodejs14-14.17.2-5.12.1 as a component of openSUSE Leap 15.3 nodejs14-devel-14.17.2-5.12.1 as a component of openSUSE Leap 15.3 nodejs14-docs-14.17.2-5.12.1 as a component of openSUSE Leap 15.3 npm14-14.17.2-5.12.1 as a component of openSUSE Leap 15.3 The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. CVE-2020-7774 openSUSE Leap 15.3:nodejs14-14.17.2-5.12.1 openSUSE Leap 15.3:nodejs14-devel-14.17.2-5.12.1 openSUSE Leap 15.3:nodejs14-docs-14.17.2-5.12.1 openSUSE Leap 15.3:npm14-14.17.2-5.12.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DYHLAI3M6J7NTEFF5DUEXHFHPTDMGRCD/ https://www.suse.com/security/cve/CVE-2020-7774.html CVE-2020-7774 https://bugzilla.suse.com/1184450 SUSE Bug 1184450 Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo(). CVE-2021-22918 openSUSE Leap 15.3:nodejs14-14.17.2-5.12.1 openSUSE Leap 15.3:nodejs14-devel-14.17.2-5.12.1 openSUSE Leap 15.3:nodejs14-docs-14.17.2-5.12.1 openSUSE Leap 15.3:npm14-14.17.2-5.12.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DYHLAI3M6J7NTEFF5DUEXHFHPTDMGRCD/ https://www.suse.com/security/cve/CVE-2021-22918.html CVE-2021-22918 https://bugzilla.suse.com/1187973 SUSE Bug 1187973 The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. CVE-2021-23362 openSUSE Leap 15.3:nodejs14-14.17.2-5.12.1 openSUSE Leap 15.3:nodejs14-devel-14.17.2-5.12.1 openSUSE Leap 15.3:nodejs14-docs-14.17.2-5.12.1 openSUSE Leap 15.3:npm14-14.17.2-5.12.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DYHLAI3M6J7NTEFF5DUEXHFHPTDMGRCD/ https://www.suse.com/security/cve/CVE-2021-23362.html CVE-2021-23362 https://bugzilla.suse.com/1187977 SUSE Bug 1187977 ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. CVE-2021-27290 openSUSE Leap 15.3:nodejs14-14.17.2-5.12.1 openSUSE Leap 15.3:nodejs14-devel-14.17.2-5.12.1 openSUSE Leap 15.3:nodejs14-docs-14.17.2-5.12.1 openSUSE Leap 15.3:npm14-14.17.2-5.12.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DYHLAI3M6J7NTEFF5DUEXHFHPTDMGRCD/ https://www.suse.com/security/cve/CVE-2021-27290.html CVE-2021-27290 https://bugzilla.suse.com/1187976 SUSE Bug 1187976