corepack20-20.12.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13851 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z corepack20-20.12.1-1.1 on GA media These are all security issues fixed in the corepack20-20.12.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13851 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13851 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-27982/ SUSE CVE CVE-2024-27982 page https://www.suse.com/security/cve/CVE-2024-27983/ SUSE CVE CVE-2024-27983 page https://www.suse.com/security/cve/CVE-2024-30260/ SUSE CVE CVE-2024-30260 page openSUSE Tumbleweed corepack20-20.12.1-1.1 nodejs20-20.12.1-1.1 nodejs20-devel-20.12.1-1.1 nodejs20-docs-20.12.1-1.1 npm20-20.12.1-1.1 corepack20-20.12.1-1.1 as a component of openSUSE Tumbleweed nodejs20-20.12.1-1.1 as a component of openSUSE Tumbleweed nodejs20-devel-20.12.1-1.1 as a component of openSUSE Tumbleweed nodejs20-docs-20.12.1-1.1 as a component of openSUSE Tumbleweed npm20-20.12.1-1.1 as a component of openSUSE Tumbleweed The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. CVE-2024-27982 openSUSE Tumbleweed:corepack20-20.12.1-1.1 openSUSE Tumbleweed:nodejs20-20.12.1-1.1 openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1 openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1 openSUSE Tumbleweed:npm20-20.12.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-27982.html CVE-2024-27982 https://bugzilla.suse.com/1222384 SUSE Bug 1222384 An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. CVE-2024-27983 openSUSE Tumbleweed:corepack20-20.12.1-1.1 openSUSE Tumbleweed:nodejs20-20.12.1-1.1 openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1 openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1 openSUSE Tumbleweed:npm20-20.12.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-27983.html CVE-2024-27983 Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. CVE-2024-30260 openSUSE Tumbleweed:corepack20-20.12.1-1.1 openSUSE Tumbleweed:nodejs20-20.12.1-1.1 openSUSE Tumbleweed:nodejs20-devel-20.12.1-1.1 openSUSE Tumbleweed:nodejs20-docs-20.12.1-1.1 openSUSE Tumbleweed:npm20-20.12.1-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-30260.html CVE-2024-30260 https://bugzilla.suse.com/1222530 SUSE Bug 1222530