Security update for nodejs20 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:4300-1 Final 1 1 2024-12-12T08:10:13Z current 2024-12-12T08:10:13Z 2024-12-12T08:10:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs20 This update for nodejs20 fixes the following issues: - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency (bsc#1233856) Other fixes: - Updated to 20.18.1: * Experimental Network Inspection Support in Node.js * Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext * New option for vm.createContext() to create a context with a freezable globalThis * buffer: optimize createFromString - Changes in 20.17.0: * module: support require()ing synchronous ESM graphs * path: add matchesGlob method * stream: expose DuplexPair API - Changes in 20.16.0: * process: add process.getBuiltinModule(id) * inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth * buffer: add .bytes() method to Blob The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-4300,SUSE-SLE-Module-Web-Scripting-15-SP5-2024-4300,openSUSE-SLE-15.5-2024-4300 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20244300-1/ Link for SUSE-SU-2024:4300-1 https://lists.suse.com/pipermail/sle-security-updates/2024-December/019992.html E-Mail link for SUSE-SU-2024:4300-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1233856 SUSE Bug 1233856 https://www.suse.com/security/cve/CVE-2024-21538/ SUSE CVE CVE-2024-21538 page SUSE Linux Enterprise Module for Web and Scripting 15 SP5 openSUSE Leap 15.5 corepack20-20.18.1-150500.11.15.1 nodejs20-20.18.1-150500.11.15.1 nodejs20-devel-20.18.1-150500.11.15.1 nodejs20-docs-20.18.1-150500.11.15.1 npm20-20.18.1-150500.11.15.1 nodejs20-20.18.1-150500.11.15.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 nodejs20-devel-20.18.1-150500.11.15.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 nodejs20-docs-20.18.1-150500.11.15.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 npm20-20.18.1-150500.11.15.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 corepack20-20.18.1-150500.11.15.1 as a component of openSUSE Leap 15.5 nodejs20-20.18.1-150500.11.15.1 as a component of openSUSE Leap 15.5 nodejs20-devel-20.18.1-150500.11.15.1 as a component of openSUSE Leap 15.5 nodejs20-docs-20.18.1-150500.11.15.1 as a component of openSUSE Leap 15.5 npm20-20.18.1-150500.11.15.1 as a component of openSUSE Leap 15.5 Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string. CVE-2024-21538 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs20-20.18.1-150500.11.15.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs20-devel-20.18.1-150500.11.15.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs20-docs-20.18.1-150500.11.15.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:npm20-20.18.1-150500.11.15.1 openSUSE Leap 15.5:corepack20-20.18.1-150500.11.15.1 openSUSE Leap 15.5:nodejs20-20.18.1-150500.11.15.1 openSUSE Leap 15.5:nodejs20-devel-20.18.1-150500.11.15.1 openSUSE Leap 15.5:nodejs20-docs-20.18.1-150500.11.15.1 openSUSE Leap 15.5:npm20-20.18.1-150500.11.15.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20244300-1/ https://www.suse.com/security/cve/CVE-2024-21538.html CVE-2024-21538 https://bugzilla.suse.com/1233843 SUSE Bug 1233843