SUSE-SU-2024:1301-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:1301-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2024:1301-1
- Related
- Published
- 2024-04-16T01:33:32Z
- Modified
- 2024-04-16T01:33:32Z
- Summary
- Security update for nodejs20
- Details
-
This update for nodejs20 fixes the following issues:
Update to 20.12.1
Security fixes:
- CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::~Http2Session() that could lead to HTTP/2 server crash (bsc#1222244)
- CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscation (bsc#1222384)
- CVE-2024-30260: Fixed proxy-authorization header not cleared on cross-origin redirect in undici (bsc#1222530)
- CVE-2024-30261: Fixed fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect in undici (bsc#1222603)
- CVE-2024-24806: Fixed improper domain lookup that potentially leads to SSRF attacks in libuv (bsc#1220053)
- References
-
- https://www.suse.com/support/update/announcement/2024/suse-su-20241301-1/
- https://bugzilla.suse.com/1220053
- https://bugzilla.suse.com/1222244
- https://bugzilla.suse.com/1222384
- https://bugzilla.suse.com/1222530
- https://bugzilla.suse.com/1222603
- https://www.suse.com/security/cve/CVE-2024-24806
- https://www.suse.com/security/cve/CVE-2024-27982
- https://www.suse.com/security/cve/CVE-2024-27983
- https://www.suse.com/security/cve/CVE-2024-30260
- https://www.suse.com/security/cve/CVE-2024-30261
Affected packages
SUSE:Linux Enterprise Module for Web and Scripting 15 SP5 / nodejs20
Package
- Name
- nodejs20
- Purl
- purl:rpm/suse/nodejs20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5