Security update for nodejs18 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2542-1 Final 1 1 2024-07-17T07:51:37Z current 2024-07-17T07:51:37Z 2024-07-17T07:51:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs18 This update for nodejs18 fixes the following issues: Update to 18.20.4: - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560) - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554) Changes in 18.20.3: - This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections. deps: - acorn updated to 8.11.3. - acorn-walk updated to 8.3.2. - ada updated to 2.7.8. - c-ares updated to 1.28.1. - corepack updated to 0.28.0. - nghttp2 updated to 1.61.0. - ngtcp2 updated to 1.3.0. - npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections npm/cli#7324. - simdutf updated to 5.2.4. Changes in 18.20.2: - CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option enabled on Windows (bsc#1222665) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/node:18-2024-2542,SUSE-2024-2542,SUSE-SLE-Module-Web-Scripting-15-SP5-2024-2542,openSUSE-SLE-15.5-2024-2542 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242542-1/ Link for SUSE-SU-2024:2542-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/018991.html E-Mail link for SUSE-SU-2024:2542-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1222665 SUSE Bug 1222665 https://bugzilla.suse.com/1227554 SUSE Bug 1227554 https://bugzilla.suse.com/1227560 SUSE Bug 1227560 https://www.suse.com/security/cve/CVE-2024-22020/ SUSE CVE CVE-2024-22020 page https://www.suse.com/security/cve/CVE-2024-27980/ SUSE CVE CVE-2024-27980 page https://www.suse.com/security/cve/CVE-2024-36138/ SUSE CVE CVE-2024-36138 page Container bci/node:18 SUSE Linux Enterprise Module for Web and Scripting 15 SP5 openSUSE Leap 15.5 nodejs18-18.20.4-150400.9.24.2 npm18-18.20.4-150400.9.24.2 corepack18-18.20.4-150400.9.24.2 nodejs18-devel-18.20.4-150400.9.24.2 nodejs18-docs-18.20.4-150400.9.24.2 nodejs18-18.20.4-150400.9.24.2 as a component of Container bci/node:18 npm18-18.20.4-150400.9.24.2 as a component of Container bci/node:18 nodejs18-18.20.4-150400.9.24.2 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 nodejs18-devel-18.20.4-150400.9.24.2 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 nodejs18-docs-18.20.4-150400.9.24.2 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 npm18-18.20.4-150400.9.24.2 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 corepack18-18.20.4-150400.9.24.2 as a component of openSUSE Leap 15.5 nodejs18-18.20.4-150400.9.24.2 as a component of openSUSE Leap 15.5 nodejs18-devel-18.20.4-150400.9.24.2 as a component of openSUSE Leap 15.5 nodejs18-docs-18.20.4-150400.9.24.2 as a component of openSUSE Leap 15.5 npm18-18.20.4-150400.9.24.2 as a component of openSUSE Leap 15.5 A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. CVE-2024-22020 Container bci/node:18:nodejs18-18.20.4-150400.9.24.2 Container bci/node:18:npm18-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-devel-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-docs-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:npm18-18.20.4-150400.9.24.2 openSUSE Leap 15.5:corepack18-18.20.4-150400.9.24.2 openSUSE Leap 15.5:nodejs18-18.20.4-150400.9.24.2 openSUSE Leap 15.5:nodejs18-devel-18.20.4-150400.9.24.2 openSUSE Leap 15.5:nodejs18-docs-18.20.4-150400.9.24.2 openSUSE Leap 15.5:npm18-18.20.4-150400.9.24.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242542-1/ https://www.suse.com/security/cve/CVE-2024-22020.html CVE-2024-22020 https://bugzilla.suse.com/1227554 SUSE Bug 1227554 Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. CVE-2024-27980 Container bci/node:18:nodejs18-18.20.4-150400.9.24.2 Container bci/node:18:npm18-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-devel-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-docs-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:npm18-18.20.4-150400.9.24.2 openSUSE Leap 15.5:corepack18-18.20.4-150400.9.24.2 openSUSE Leap 15.5:nodejs18-18.20.4-150400.9.24.2 openSUSE Leap 15.5:nodejs18-devel-18.20.4-150400.9.24.2 openSUSE Leap 15.5:nodejs18-docs-18.20.4-150400.9.24.2 openSUSE Leap 15.5:npm18-18.20.4-150400.9.24.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242542-1/ https://www.suse.com/security/cve/CVE-2024-27980.html CVE-2024-27980 https://bugzilla.suse.com/1222665 SUSE Bug 1222665 https://bugzilla.suse.com/1227560 SUSE Bug 1227560 Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. CVE-2024-36138 Container bci/node:18:nodejs18-18.20.4-150400.9.24.2 Container bci/node:18:npm18-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-devel-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-docs-18.20.4-150400.9.24.2 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:npm18-18.20.4-150400.9.24.2 openSUSE Leap 15.5:corepack18-18.20.4-150400.9.24.2 openSUSE Leap 15.5:nodejs18-18.20.4-150400.9.24.2 openSUSE Leap 15.5:nodejs18-devel-18.20.4-150400.9.24.2 openSUSE Leap 15.5:nodejs18-docs-18.20.4-150400.9.24.2 openSUSE Leap 15.5:npm18-18.20.4-150400.9.24.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242542-1/ https://www.suse.com/security/cve/CVE-2024-36138.html CVE-2024-36138 https://bugzilla.suse.com/1227560 SUSE Bug 1227560