Security update for nodejs20

Announcement ID:	SUSE-SU-2024:0643-1
Rating:	important
References:	bsc#1219152 bsc#1219724 bsc#1219992 bsc#1219993 bsc#1219994 bsc#1219995 bsc#1219997 bsc#1219998 bsc#1219999 bsc#1220014 bsc#1220017
Cross-References:	CVE-2023-46809 CVE-2024-21890 CVE-2024-21891 CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 CVE-2024-22025 CVE-2024-24758 CVE-2024-24806
CVSS scores:	CVE-2023-46809 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2024-21890 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-21891 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-21892 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-21896 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-22017 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2024-22019 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-24758 ( SUSE ): 3.9 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L CVE-2024-24806 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-24806 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Products:	openSUSE Leap 15.5 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP5 Web and Scripting Module 15-SP5

An update that solves 10 vulnerabilities and has one security fix can now be installed.

Description:

This update for nodejs20 fixes the following issues:

Update to 20.11.1: (security updates)

• CVE-2024-21892: Code injection and privilege escalation through Linux capabilities (bsc#1219992).
• CVE-2024-22019: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (bsc#1219993).
• CVE-2024-21896: Path traversal by monkey-patching Buffer internals (bsc#1219994).j
• CVE-2024-22017: setuid() does not drop all privileges due to io_uring (bsc#1219995).
• CVE-2023-46809: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (bsc#1219997).
• CVE-2024-21891: Multiple permission model bypasses due to improper path traversal sequence sanitization (bsc#1219998).
• CVE-2024-21890: Improper handling of wildcards in --allow-fs-read and --allow-fs-write (bsc#1219999).
• CVE-2024-22025: Denial of Service by resource exhaustion in fetch() brotli decoding (bsc#1220014).
• CVE-2024-24758: undici version 5.28.3 (bsc#1220017).
• CVE-2024-24806: libuv version 1.48.0 (bsc#1219724).

Update to 20.11.0:

• esm: add import.meta.dirname and import.meta.filename
• fs: add c++ fast path for writeFileSync utf8
• module: remove useCustomLoadersIfPresent flag
• module: bootstrap module loaders in shadow realm
• src: add --disable-warning option
• src: create per isolate proxy env template
• src: make process binding data weak
• stream: use Array for Readable buffer
• stream: optimize creation
• test_runner: adds built in lcov reporter
• test_runner: add Date to the supported mock APIs
• test_runner, cli: add --test-timeout flag

Update to 20.10.0:

• --experimental-default-type flag to flip module defaults
• The new flag --experimental-detect-module can be used to automatically run ES modules when their syntax can be detected.
• Added flush option in file system functions for fs.writeFile functions
• Added experimental WebSocket client
• vm: fix V8 compilation cache support for vm.Script. This fixes performance regression since v16.x when support for importModuleDynamically was added to vm.Script

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.5
  zypper in -t patch SUSE-2024-643=1 openSUSE-SLE-15.5-2024-643=1
• Web and Scripting Module 15-SP5
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP5-2024-643=1

Package List:

• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586)
  • nodejs20-debugsource-20.11.1-150500.11.6.1
  • corepack20-20.11.1-150500.11.6.1
  • npm20-20.11.1-150500.11.6.1
  • nodejs20-devel-20.11.1-150500.11.6.1
  • nodejs20-debuginfo-20.11.1-150500.11.6.1
  • nodejs20-20.11.1-150500.11.6.1
• openSUSE Leap 15.5 (noarch)
  • nodejs20-docs-20.11.1-150500.11.6.1
• Web and Scripting Module 15-SP5 (aarch64 ppc64le s390x x86_64)
  • npm20-20.11.1-150500.11.6.1
  • nodejs20-debugsource-20.11.1-150500.11.6.1
  • nodejs20-devel-20.11.1-150500.11.6.1
  • nodejs20-debuginfo-20.11.1-150500.11.6.1
  • nodejs20-20.11.1-150500.11.6.1
• Web and Scripting Module 15-SP5 (noarch)
  • nodejs20-docs-20.11.1-150500.11.6.1

References:

• https://www.suse.com/security/cve/CVE-2023-46809.html
• https://www.suse.com/security/cve/CVE-2024-21890.html
• https://www.suse.com/security/cve/CVE-2024-21891.html
• https://www.suse.com/security/cve/CVE-2024-21892.html
• https://www.suse.com/security/cve/CVE-2024-21896.html
• https://www.suse.com/security/cve/CVE-2024-22017.html
• https://www.suse.com/security/cve/CVE-2024-22019.html
• https://www.suse.com/security/cve/CVE-2024-22025.html
• https://www.suse.com/security/cve/CVE-2024-24758.html
• https://www.suse.com/security/cve/CVE-2024-24806.html
• https://bugzilla.suse.com/show_bug.cgi?id=1219152
• https://bugzilla.suse.com/show_bug.cgi?id=1219724
• https://bugzilla.suse.com/show_bug.cgi?id=1219992
• https://bugzilla.suse.com/show_bug.cgi?id=1219993
• https://bugzilla.suse.com/show_bug.cgi?id=1219994
• https://bugzilla.suse.com/show_bug.cgi?id=1219995
• https://bugzilla.suse.com/show_bug.cgi?id=1219997
• https://bugzilla.suse.com/show_bug.cgi?id=1219998
• https://bugzilla.suse.com/show_bug.cgi?id=1219999
• https://bugzilla.suse.com/show_bug.cgi?id=1220014
• https://bugzilla.suse.com/show_bug.cgi?id=1220017