nodejs-electron-25.9.1-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13340 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z nodejs-electron-25.9.1-2.1 on GA media These are all security issues fixed in the nodejs-electron-25.9.1-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13340 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13340 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-38552/ SUSE CVE CVE-2023-38552 page https://www.suse.com/security/cve/CVE-2023-39333/ SUSE CVE CVE-2023-39333 page https://www.suse.com/security/cve/CVE-2023-45143/ SUSE CVE CVE-2023-45143 page openSUSE Tumbleweed nodejs-electron-25.9.1-2.1 nodejs-electron-devel-25.9.1-2.1 nodejs-electron-doc-25.9.1-2.1 nodejs-electron-25.9.1-2.1 as a component of openSUSE Tumbleweed nodejs-electron-devel-25.9.1-2.1 as a component of openSUSE Tumbleweed nodejs-electron-doc-25.9.1-2.1 as a component of openSUSE Tumbleweed When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. CVE-2023-38552 openSUSE Tumbleweed:nodejs-electron-25.9.1-2.1 openSUSE Tumbleweed:nodejs-electron-devel-25.9.1-2.1 openSUSE Tumbleweed:nodejs-electron-doc-25.9.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-38552.html CVE-2023-38552 https://bugzilla.suse.com/1216272 SUSE Bug 1216272 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2023-39333 openSUSE Tumbleweed:nodejs-electron-25.9.1-2.1 openSUSE Tumbleweed:nodejs-electron-devel-25.9.1-2.1 openSUSE Tumbleweed:nodejs-electron-doc-25.9.1-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-39333.html CVE-2023-39333 https://bugzilla.suse.com/1216273 SUSE Bug 1216273 Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds. CVE-2023-45143 openSUSE Tumbleweed:nodejs-electron-25.9.1-2.1 openSUSE Tumbleweed:nodejs-electron-devel-25.9.1-2.1 openSUSE Tumbleweed:nodejs-electron-doc-25.9.1-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-45143.html CVE-2023-45143 https://bugzilla.suse.com/1216205 SUSE Bug 1216205