Security update for nodejs12 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:4373-1 Final 1 1 2023-11-06T09:50:04Z current 2023-11-06T09:50:04Z 2023-11-06T09:50:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs12 This update for nodejs12 fixes the following issues: - CVE-2023-44487: Fixed the Rapid Reset attack in nghttp2. (bsc#1216190) - CVE-2023-38552: Fixed an integrity checks according to policies that could be circumvented. (bsc#1216272) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-4373,SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-4373,SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4373,SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4373,SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-4373,SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4373,SUSE-SLE-Product-SLES_SAP-15-SP2-2023-4373,SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4373,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-4373,SUSE-Storage-7.1-2023-4373,openSUSE-SLE-15.4-2023-4373 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20234373-1/ Link for SUSE-SU-2023:4373-1 https://lists.suse.com/pipermail/sle-security-updates/2023-November/016997.html E-Mail link for SUSE-SU-2023:4373-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216190 SUSE Bug 1216190 https://bugzilla.suse.com/1216272 SUSE Bug 1216272 https://www.suse.com/security/cve/CVE-2023-38552/ SUSE CVE CVE-2023-38552 page https://www.suse.com/security/cve/CVE-2023-44487/ SUSE CVE CVE-2023-44487 page SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Server 15 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Server 4.2 openSUSE Leap 15.4 corepack14-14.21.3-150200.15.52.2 nodejs14-14.21.3-150200.15.52.2 nodejs14-devel-14.21.3-150200.15.52.2 nodejs14-docs-14.21.3-150200.15.52.2 npm14-14.21.3-150200.15.52.2 nodejs14-14.21.3-150200.15.52.2 as a component of SUSE Enterprise Storage 7.1 nodejs14-devel-14.21.3-150200.15.52.2 as a component of SUSE Enterprise Storage 7.1 nodejs14-docs-14.21.3-150200.15.52.2 as a component of SUSE Enterprise Storage 7.1 npm14-14.21.3-150200.15.52.2 as a component of SUSE Enterprise Storage 7.1 nodejs14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS nodejs14-devel-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS nodejs14-docs-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS npm14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS nodejs14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS nodejs14-devel-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS nodejs14-docs-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS npm14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS nodejs14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS nodejs14-devel-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS nodejs14-docs-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS npm14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS nodejs14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS nodejs14-devel-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS nodejs14-docs-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS npm14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server 15 SP2-LTSS nodejs14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS nodejs14-devel-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS nodejs14-docs-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS npm14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server 15 SP3-LTSS nodejs14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 nodejs14-devel-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 nodejs14-docs-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 npm14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 nodejs14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 nodejs14-devel-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 nodejs14-docs-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 npm14-14.21.3-150200.15.52.2 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 nodejs14-14.21.3-150200.15.52.2 as a component of SUSE Manager Server 4.2 nodejs14-devel-14.21.3-150200.15.52.2 as a component of SUSE Manager Server 4.2 nodejs14-docs-14.21.3-150200.15.52.2 as a component of SUSE Manager Server 4.2 npm14-14.21.3-150200.15.52.2 as a component of SUSE Manager Server 4.2 corepack14-14.21.3-150200.15.52.2 as a component of openSUSE Leap 15.4 nodejs14-14.21.3-150200.15.52.2 as a component of openSUSE Leap 15.4 nodejs14-devel-14.21.3-150200.15.52.2 as a component of openSUSE Leap 15.4 nodejs14-docs-14.21.3-150200.15.52.2 as a component of openSUSE Leap 15.4 npm14-14.21.3-150200.15.52.2 as a component of openSUSE Leap 15.4 When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. CVE-2023-38552 SUSE Enterprise Storage 7.1:nodejs14-14.21.3-150200.15.52.2 SUSE Enterprise Storage 7.1:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Enterprise Storage 7.1:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Enterprise Storage 7.1:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP2-LTSS:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP2-LTSS:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP2-LTSS:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP2-LTSS:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP3-LTSS:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP3-LTSS:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP3-LTSS:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP3-LTSS:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3:npm14-14.21.3-150200.15.52.2 SUSE Manager Server 4.2:nodejs14-14.21.3-150200.15.52.2 SUSE Manager Server 4.2:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Manager Server 4.2:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Manager Server 4.2:npm14-14.21.3-150200.15.52.2 openSUSE Leap 15.4:corepack14-14.21.3-150200.15.52.2 openSUSE Leap 15.4:nodejs14-14.21.3-150200.15.52.2 openSUSE Leap 15.4:nodejs14-devel-14.21.3-150200.15.52.2 openSUSE Leap 15.4:nodejs14-docs-14.21.3-150200.15.52.2 openSUSE Leap 15.4:npm14-14.21.3-150200.15.52.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234373-1/ https://www.suse.com/security/cve/CVE-2023-38552.html CVE-2023-38552 https://bugzilla.suse.com/1216272 SUSE Bug 1216272 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 SUSE Enterprise Storage 7.1:nodejs14-14.21.3-150200.15.52.2 SUSE Enterprise Storage 7.1:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Enterprise Storage 7.1:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Enterprise Storage 7.1:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP2-LTSS:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP2-LTSS:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP2-LTSS:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP2-LTSS:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP3-LTSS:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP3-LTSS:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP3-LTSS:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server 15 SP3-LTSS:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2:npm14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3:nodejs14-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3:npm14-14.21.3-150200.15.52.2 SUSE Manager Server 4.2:nodejs14-14.21.3-150200.15.52.2 SUSE Manager Server 4.2:nodejs14-devel-14.21.3-150200.15.52.2 SUSE Manager Server 4.2:nodejs14-docs-14.21.3-150200.15.52.2 SUSE Manager Server 4.2:npm14-14.21.3-150200.15.52.2 openSUSE Leap 15.4:corepack14-14.21.3-150200.15.52.2 openSUSE Leap 15.4:nodejs14-14.21.3-150200.15.52.2 openSUSE Leap 15.4:nodejs14-devel-14.21.3-150200.15.52.2 openSUSE Leap 15.4:nodejs14-docs-14.21.3-150200.15.52.2 openSUSE Leap 15.4:npm14-14.21.3-150200.15.52.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234373-1/ https://www.suse.com/security/cve/CVE-2023-44487.html CVE-2023-44487 https://bugzilla.suse.com/1216109 SUSE Bug 1216109 https://bugzilla.suse.com/1216123 SUSE Bug 1216123 https://bugzilla.suse.com/1216169 SUSE Bug 1216169 https://bugzilla.suse.com/1216171 SUSE Bug 1216171 https://bugzilla.suse.com/1216174 SUSE Bug 1216174 https://bugzilla.suse.com/1216176 SUSE Bug 1216176 https://bugzilla.suse.com/1216181 SUSE Bug 1216181 https://bugzilla.suse.com/1216182 SUSE Bug 1216182 https://bugzilla.suse.com/1216190 SUSE Bug 1216190