corepack22-22.10.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14435-1 Final 1 1 2024-10-29T00:00:00Z current 2024-10-29T00:00:00Z 2024-10-29T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z corepack22-22.10.0-1.1 on GA media These are all security issues fixed in the corepack22-22.10.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14435 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OWCPL7VTEVIGUDVKLEV2D2ITNTWKC4AZ/ E-Mail link for openSUSE-SU-2024:14435-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-22018/ SUSE CVE CVE-2024-22018 page https://www.suse.com/security/cve/CVE-2024-22020/ SUSE CVE CVE-2024-22020 page https://www.suse.com/security/cve/CVE-2024-36137/ SUSE CVE CVE-2024-36137 page https://www.suse.com/security/cve/CVE-2024-36138/ SUSE CVE CVE-2024-36138 page https://www.suse.com/security/cve/CVE-2024-37372/ SUSE CVE CVE-2024-37372 page openSUSE Tumbleweed corepack22-22.10.0-1.1 nodejs22-22.10.0-1.1 nodejs22-devel-22.10.0-1.1 nodejs22-docs-22.10.0-1.1 npm22-22.10.0-1.1 corepack22-22.10.0-1.1 as a component of openSUSE Tumbleweed nodejs22-22.10.0-1.1 as a component of openSUSE Tumbleweed nodejs22-devel-22.10.0-1.1 as a component of openSUSE Tumbleweed nodejs22-docs-22.10.0-1.1 as a component of openSUSE Tumbleweed npm22-22.10.0-1.1 as a component of openSUSE Tumbleweed A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. CVE-2024-22018 openSUSE Tumbleweed:corepack22-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-devel-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-docs-22.10.0-1.1 openSUSE Tumbleweed:npm22-22.10.0-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OWCPL7VTEVIGUDVKLEV2D2ITNTWKC4AZ/ https://www.suse.com/security/cve/CVE-2024-22018.html CVE-2024-22018 https://bugzilla.suse.com/1227562 SUSE Bug 1227562 A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. CVE-2024-22020 openSUSE Tumbleweed:corepack22-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-devel-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-docs-22.10.0-1.1 openSUSE Tumbleweed:npm22-22.10.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OWCPL7VTEVIGUDVKLEV2D2ITNTWKC4AZ/ https://www.suse.com/security/cve/CVE-2024-22020.html CVE-2024-22020 https://bugzilla.suse.com/1227554 SUSE Bug 1227554 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. CVE-2024-36137 openSUSE Tumbleweed:corepack22-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-devel-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-docs-22.10.0-1.1 openSUSE Tumbleweed:npm22-22.10.0-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OWCPL7VTEVIGUDVKLEV2D2ITNTWKC4AZ/ https://www.suse.com/security/cve/CVE-2024-36137.html CVE-2024-36137 https://bugzilla.suse.com/1227561 SUSE Bug 1227561 Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. CVE-2024-36138 openSUSE Tumbleweed:corepack22-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-devel-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-docs-22.10.0-1.1 openSUSE Tumbleweed:npm22-22.10.0-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OWCPL7VTEVIGUDVKLEV2D2ITNTWKC4AZ/ https://www.suse.com/security/cve/CVE-2024-36138.html CVE-2024-36138 https://bugzilla.suse.com/1227560 SUSE Bug 1227560 The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. CVE-2024-37372 openSUSE Tumbleweed:corepack22-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-devel-22.10.0-1.1 openSUSE Tumbleweed:nodejs22-docs-22.10.0-1.1 openSUSE Tumbleweed:npm22-22.10.0-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OWCPL7VTEVIGUDVKLEV2D2ITNTWKC4AZ/ https://www.suse.com/security/cve/CVE-2024-37372.html CVE-2024-37372 https://bugzilla.suse.com/1227563 SUSE Bug 1227563