corepack18-18.10.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12376 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z corepack18-18.10.0-1.1 on GA media These are all security issues fixed in the corepack18-18.10.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12376 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12376 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-32215/ SUSE CVE CVE-2022-32215 page https://www.suse.com/security/cve/CVE-2022-35255/ SUSE CVE CVE-2022-35255 page https://www.suse.com/security/cve/CVE-2022-35256/ SUSE CVE CVE-2022-35256 page openSUSE Tumbleweed corepack18-18.10.0-1.1 nodejs18-18.10.0-1.1 nodejs18-devel-18.10.0-1.1 nodejs18-docs-18.10.0-1.1 npm18-18.10.0-1.1 corepack18-18.10.0-1.1 as a component of openSUSE Tumbleweed nodejs18-18.10.0-1.1 as a component of openSUSE Tumbleweed nodejs18-devel-18.10.0-1.1 as a component of openSUSE Tumbleweed nodejs18-docs-18.10.0-1.1 as a component of openSUSE Tumbleweed npm18-18.10.0-1.1 as a component of openSUSE Tumbleweed The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). CVE-2022-32215 openSUSE Tumbleweed:corepack18-18.10.0-1.1 openSUSE Tumbleweed:nodejs18-18.10.0-1.1 openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1 openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1 openSUSE Tumbleweed:npm18-18.10.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-32215.html CVE-2022-32215 https://bugzilla.suse.com/1201327 SUSE Bug 1201327 A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material. CVE-2022-35255 openSUSE Tumbleweed:corepack18-18.10.0-1.1 openSUSE Tumbleweed:nodejs18-18.10.0-1.1 openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1 openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1 openSUSE Tumbleweed:npm18-18.10.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-35255.html CVE-2022-35255 https://bugzilla.suse.com/1203831 SUSE Bug 1203831 The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. CVE-2022-35256 openSUSE Tumbleweed:corepack18-18.10.0-1.1 openSUSE Tumbleweed:nodejs18-18.10.0-1.1 openSUSE Tumbleweed:nodejs18-devel-18.10.0-1.1 openSUSE Tumbleweed:nodejs18-docs-18.10.0-1.1 openSUSE Tumbleweed:npm18-18.10.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-35256.html CVE-2022-35256 https://bugzilla.suse.com/1203832 SUSE Bug 1203832