corepack21-21.6.2-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13698-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z corepack21-21.6.2-1.1 on GA media These are all security issues fixed in the corepack21-21.6.2-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13698 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-46809/ SUSE CVE CVE-2023-46809 page https://www.suse.com/security/cve/CVE-2024-21890/ SUSE CVE CVE-2024-21890 page https://www.suse.com/security/cve/CVE-2024-21891/ SUSE CVE CVE-2024-21891 page https://www.suse.com/security/cve/CVE-2024-21892/ SUSE CVE CVE-2024-21892 page https://www.suse.com/security/cve/CVE-2024-21896/ SUSE CVE CVE-2024-21896 page https://www.suse.com/security/cve/CVE-2024-22017/ SUSE CVE CVE-2024-22017 page https://www.suse.com/security/cve/CVE-2024-22019/ SUSE CVE CVE-2024-22019 page https://www.suse.com/security/cve/CVE-2024-22025/ SUSE CVE CVE-2024-22025 page https://www.suse.com/security/cve/CVE-2024-24758/ SUSE CVE CVE-2024-24758 page openSUSE Tumbleweed corepack21-21.6.2-1.1 nodejs21-21.6.2-1.1 nodejs21-devel-21.6.2-1.1 nodejs21-docs-21.6.2-1.1 npm21-21.6.2-1.1 corepack21-21.6.2-1.1 as a component of openSUSE Tumbleweed nodejs21-21.6.2-1.1 as a component of openSUSE Tumbleweed nodejs21-devel-21.6.2-1.1 as a component of openSUSE Tumbleweed nodejs21-docs-21.6.2-1.1 as a component of openSUSE Tumbleweed npm21-21.6.2-1.1 as a component of openSUSE Tumbleweed Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key. CVE-2023-46809 openSUSE Tumbleweed:corepack21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-devel-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-docs-21.6.2-1.1 openSUSE Tumbleweed:npm21-21.6.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-46809.html CVE-2023-46809 https://bugzilla.suse.com/1219997 SUSE Bug 1219997 The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. CVE-2024-21890 openSUSE Tumbleweed:corepack21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-devel-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-docs-21.6.2-1.1 openSUSE Tumbleweed:npm21-21.6.2-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-21890.html CVE-2024-21890 https://bugzilla.suse.com/1219999 SUSE Bug 1219999 Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. CVE-2024-21891 openSUSE Tumbleweed:corepack21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-devel-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-docs-21.6.2-1.1 openSUSE Tumbleweed:npm21-21.6.2-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-21891.html CVE-2024-21891 https://bugzilla.suse.com/1219998 SUSE Bug 1219998 On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges. CVE-2024-21892 openSUSE Tumbleweed:corepack21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-devel-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-docs-21.6.2-1.1 openSUSE Tumbleweed:npm21-21.6.2-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-21892.html CVE-2024-21892 https://bugzilla.suse.com/1219992 SUSE Bug 1219992 The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. CVE-2024-21896 openSUSE Tumbleweed:corepack21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-devel-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-docs-21.6.2-1.1 openSUSE Tumbleweed:npm21-21.6.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-21896.html CVE-2024-21896 https://bugzilla.suse.com/1219994 SUSE Bug 1219994 setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21. CVE-2024-22017 openSUSE Tumbleweed:corepack21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-devel-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-docs-21.6.2-1.1 openSUSE Tumbleweed:npm21-21.6.2-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-22017.html CVE-2024-22017 https://bugzilla.suse.com/1219995 SUSE Bug 1219995 A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits. CVE-2024-22019 openSUSE Tumbleweed:corepack21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-devel-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-docs-21.6.2-1.1 openSUSE Tumbleweed:npm21-21.6.2-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-22019.html CVE-2024-22019 https://bugzilla.suse.com/1219993 SUSE Bug 1219993 A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration. CVE-2024-22025 openSUSE Tumbleweed:corepack21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-devel-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-docs-21.6.2-1.1 openSUSE Tumbleweed:npm21-21.6.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-22025.html CVE-2024-22025 https://bugzilla.suse.com/1220014 SUSE Bug 1220014 Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2024-24758 openSUSE Tumbleweed:corepack21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-devel-21.6.2-1.1 openSUSE Tumbleweed:nodejs21-docs-21.6.2-1.1 openSUSE Tumbleweed:npm21-21.6.2-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-24758.html CVE-2024-24758 https://bugzilla.suse.com/1220017 SUSE Bug 1220017