Security update for nodejs18 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2496-1 Final 1 1 2024-07-16T07:33:47Z current 2024-07-16T07:33:47Z 2024-07-16T07:33:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs18 This update for nodejs18 fixes the following issues: Update to 18.20.4: - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560) - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554) Changes in 18.20.3: - This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections. deps: - acorn updated to 8.11.3. - acorn-walk updated to 8.3.2. - ada updated to 2.7.8. - c-ares updated to 1.28.1. - corepack updated to 0.28.0. - nghttp2 updated to 1.61.0. - ngtcp2 updated to 1.3.0. - npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections npm/cli#7324. - simdutf updated to 5.2.4. Changes in 18.20.2: - CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option enabled on Windows (bsc#1222665) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2496,SUSE-SLE-Module-Web-Scripting-12-2024-2496 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242496-1/ Link for SUSE-SU-2024:2496-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/018981.html E-Mail link for SUSE-SU-2024:2496-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1222665 SUSE Bug 1222665 https://bugzilla.suse.com/1227554 SUSE Bug 1227554 https://bugzilla.suse.com/1227560 SUSE Bug 1227560 https://www.suse.com/security/cve/CVE-2024-22020/ SUSE CVE CVE-2024-22020 page https://www.suse.com/security/cve/CVE-2024-27980/ SUSE CVE CVE-2024-27980 page https://www.suse.com/security/cve/CVE-2024-36138/ SUSE CVE CVE-2024-36138 page SUSE Linux Enterprise Module for Web and Scripting 12 corepack18-18.20.4-8.24.1 nodejs18-18.20.4-8.24.1 nodejs18-devel-18.20.4-8.24.1 nodejs18-docs-18.20.4-8.24.1 npm18-18.20.4-8.24.1 nodejs18-18.20.4-8.24.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs18-devel-18.20.4-8.24.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs18-docs-18.20.4-8.24.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 npm18-18.20.4-8.24.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. CVE-2024-22020 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-18.20.4-8.24.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-devel-18.20.4-8.24.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-docs-18.20.4-8.24.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm18-18.20.4-8.24.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242496-1/ https://www.suse.com/security/cve/CVE-2024-22020.html CVE-2024-22020 https://bugzilla.suse.com/1227554 SUSE Bug 1227554 Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. CVE-2024-27980 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-18.20.4-8.24.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-devel-18.20.4-8.24.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-docs-18.20.4-8.24.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm18-18.20.4-8.24.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242496-1/ https://www.suse.com/security/cve/CVE-2024-27980.html CVE-2024-27980 https://bugzilla.suse.com/1222665 SUSE Bug 1222665 https://bugzilla.suse.com/1227560 SUSE Bug 1227560 Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. CVE-2024-36138 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-18.20.4-8.24.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-devel-18.20.4-8.24.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs18-docs-18.20.4-8.24.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm18-18.20.4-8.24.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242496-1/ https://www.suse.com/security/cve/CVE-2024-36138.html CVE-2024-36138 https://bugzilla.suse.com/1227560 SUSE Bug 1227560