Security update for nodejs16 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:3615-1 Final 1 1 2022-10-18T11:05:57Z current 2022-10-18T11:05:57Z 2022-10-18T11:05:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs16 This update for nodejs16 fixes the following issues: Updated to version 16.17.1: - CVE-2022-32213: Fixed bypass via obs-fold mechanic (bsc#1201325). - CVE-2022-32215: Fixed incorrect Parsing of Multi-line Transfer-Encoding (bsc#1201327). - CVE-2022-35256: Fixed incorrect Parsing of Header Fields (bsc#1203832). - CVE-2022-35255: FIxed weak randomness in WebCrypto keygen (bsc#1203831). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-3615,SUSE-SLE-Module-Web-Scripting-15-SP3-2022-3615,openSUSE-SLE-15.3-2022-3615 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20223615-1/ Link for SUSE-SU-2022:3615-1 https://lists.suse.com/pipermail/sle-security-updates/2022-October/012560.html E-Mail link for SUSE-SU-2022:3615-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1201325 SUSE Bug 1201325 https://bugzilla.suse.com/1201327 SUSE Bug 1201327 https://bugzilla.suse.com/1203831 SUSE Bug 1203831 https://bugzilla.suse.com/1203832 SUSE Bug 1203832 https://www.suse.com/security/cve/CVE-2022-32213/ SUSE CVE CVE-2022-32213 page https://www.suse.com/security/cve/CVE-2022-32215/ SUSE CVE CVE-2022-32215 page https://www.suse.com/security/cve/CVE-2022-35255/ SUSE CVE CVE-2022-35255 page https://www.suse.com/security/cve/CVE-2022-35256/ SUSE CVE CVE-2022-35256 page SUSE Linux Enterprise Module for Web and Scripting 15 SP3 openSUSE Leap 15.3 corepack16-16.17.1-150300.7.12.1 nodejs16-16.17.1-150300.7.12.1 nodejs16-devel-16.17.1-150300.7.12.1 nodejs16-docs-16.17.1-150300.7.12.1 npm16-16.17.1-150300.7.12.1 nodejs16-16.17.1-150300.7.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 nodejs16-devel-16.17.1-150300.7.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 nodejs16-docs-16.17.1-150300.7.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 npm16-16.17.1-150300.7.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP3 nodejs16-16.17.1-150300.7.12.1 as a component of openSUSE Leap 15.3 nodejs16-devel-16.17.1-150300.7.12.1 as a component of openSUSE Leap 15.3 nodejs16-docs-16.17.1-150300.7.12.1 as a component of openSUSE Leap 15.3 npm16-16.17.1-150300.7.12.1 as a component of openSUSE Leap 15.3 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). CVE-2022-32213 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-devel-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-docs-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:npm16-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-devel-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-docs-16.17.1-150300.7.12.1 openSUSE Leap 15.3:npm16-16.17.1-150300.7.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223615-1/ https://www.suse.com/security/cve/CVE-2022-32213.html CVE-2022-32213 https://bugzilla.suse.com/1201325 SUSE Bug 1201325 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). CVE-2022-32215 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-devel-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-docs-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:npm16-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-devel-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-docs-16.17.1-150300.7.12.1 openSUSE Leap 15.3:npm16-16.17.1-150300.7.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223615-1/ https://www.suse.com/security/cve/CVE-2022-32215.html CVE-2022-32215 https://bugzilla.suse.com/1201327 SUSE Bug 1201327 A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material. CVE-2022-35255 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-devel-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-docs-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:npm16-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-devel-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-docs-16.17.1-150300.7.12.1 openSUSE Leap 15.3:npm16-16.17.1-150300.7.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223615-1/ https://www.suse.com/security/cve/CVE-2022-35255.html CVE-2022-35255 https://bugzilla.suse.com/1203831 SUSE Bug 1203831 The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. CVE-2022-35256 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-devel-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:nodejs16-docs-16.17.1-150300.7.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP3:npm16-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-devel-16.17.1-150300.7.12.1 openSUSE Leap 15.3:nodejs16-docs-16.17.1-150300.7.12.1 openSUSE Leap 15.3:npm16-16.17.1-150300.7.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223615-1/ https://www.suse.com/security/cve/CVE-2022-35256.html CVE-2022-35256 https://bugzilla.suse.com/1203832 SUSE Bug 1203832