Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

openSUSE Leap 15.1: 2021:0082-1 Moderate: Node.js Issues

opensuse
Calendar Grey January 16, 2021
Dist Opensuse Esm H88
openSUSE Security Update: Security update for nodejs10 _____________________________________________
An update that fixes three vulnerabilities is now available

Description

This update for nodejs10 fixes the following issues:

- New upstream LTS version 10.23.1:

* CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS

implementation. When writing to a TLS enabled socket,

node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly

allocated WriteWrap object as first argument. If the DoWrite method

does not return an error, this object is passed back to the caller as

part of a StreamWriteResult structure. This may be exploited to

corrupt memory leading to a Denial of Service or potentially other

exploits (bsc#1180553)

* CVE-2020-8287: HTTP Request Smuggling allow two copies of a header

field in a http request. For example, two Transfer-Encoding header

fields. In this case Node.js identifies the first header field and

ignores the second. This can lead to HTTP Request Smuggling

(https://cwe.mitre.org/data/definitions/444.html). (bsc#1180554)

*...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2021-82=1

Package List

- openSUSE Leap 15.1 (i586 x86_64):

nodejs10-10.23.1-lp151.2.15.1

nodejs10-debuginfo-10.23.1-lp151.2.15.1

nodejs10-debugsource-10.23.1-lp151.2.15.1

nodejs10-devel-10.23.1-lp151.2.15.1

npm10-10.23.1-lp151.2.15.1

- openSUSE Leap 15.1 (noarch):

nodejs10-docs-10.23.1-lp151.2.15.1

References

https://www.suse.com/security/cve/CVE-2020-1971.html

https://www.suse.com/security/cve/CVE-2020-8265.html

https://www.suse.com/security/cve/CVE-2020-8287.html

https://bugzilla.suse.com/1179491

https://bugzilla.suse.com/1180553

https://bugzilla.suse.com/1180554

Announcement ID: openSUSE-SU-2021:0082-1
Rating: moderate
Affected Products: openSUSE Leap 15.1 .

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here