Security update for nodejs12 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:2326-1 Final 1 1 2021-07-14T15:07:58Z current 2021-07-14T15:07:58Z 2021-07-14T15:07:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs12 This update for nodejs12 fixes the following issues: - update to 12.22.2: - CVE-2021-22918: Out of bounds read (bsc#1187973) - CVE-2021-23362: ssri Regular Expression Denial of Service and hosted-git-info (bsc#1187977) - CVE-2021-27290: Regular Expression Denial of Service (bsc#1187976) - CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (bsc#1183851) - CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (bsc#1183852) - CVE-2020-7774: npm - Update y18n to fix Prototype-Pollution (bsc#1184450) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-2326,SUSE-SLE-Module-Web-Scripting-12-2021-2326 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20212326-1/ Link for SUSE-SU-2021:2326-1 https://lists.suse.com/pipermail/sle-security-updates/2021-July/009136.html E-Mail link for SUSE-SU-2021:2326-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1183851 SUSE Bug 1183851 https://bugzilla.suse.com/1183852 SUSE Bug 1183852 https://bugzilla.suse.com/1184450 SUSE Bug 1184450 https://bugzilla.suse.com/1187973 SUSE Bug 1187973 https://bugzilla.suse.com/1187976 SUSE Bug 1187976 https://bugzilla.suse.com/1187977 SUSE Bug 1187977 https://www.suse.com/security/cve/CVE-2020-7774/ SUSE CVE CVE-2020-7774 page https://www.suse.com/security/cve/CVE-2021-22918/ SUSE CVE CVE-2021-22918 page https://www.suse.com/security/cve/CVE-2021-23362/ SUSE CVE CVE-2021-23362 page https://www.suse.com/security/cve/CVE-2021-27290/ SUSE CVE CVE-2021-27290 page https://www.suse.com/security/cve/CVE-2021-3449/ SUSE CVE CVE-2021-3449 page https://www.suse.com/security/cve/CVE-2021-3450/ SUSE CVE CVE-2021-3450 page SUSE Linux Enterprise Module for Web and Scripting 12 nodejs12-12.22.2-1.32.1 nodejs12-devel-12.22.2-1.32.1 nodejs12-docs-12.22.2-1.32.1 npm12-12.22.2-1.32.1 nodejs12-12.22.2-1.32.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs12-devel-12.22.2-1.32.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 nodejs12-docs-12.22.2-1.32.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 npm12-12.22.2-1.32.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 12 The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution. CVE-2020-7774 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-devel-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-docs-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm12-12.22.2-1.32.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212326-1/ https://www.suse.com/security/cve/CVE-2020-7774.html CVE-2020-7774 https://bugzilla.suse.com/1184450 SUSE Bug 1184450 Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo(). CVE-2021-22918 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-devel-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-docs-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm12-12.22.2-1.32.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212326-1/ https://www.suse.com/security/cve/CVE-2021-22918.html CVE-2021-22918 https://bugzilla.suse.com/1187973 SUSE Bug 1187973 The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. CVE-2021-23362 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-devel-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-docs-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm12-12.22.2-1.32.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212326-1/ https://www.suse.com/security/cve/CVE-2021-23362.html CVE-2021-23362 https://bugzilla.suse.com/1187977 SUSE Bug 1187977 ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. CVE-2021-27290 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-devel-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-docs-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm12-12.22.2-1.32.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212326-1/ https://www.suse.com/security/cve/CVE-2021-27290.html CVE-2021-27290 https://bugzilla.suse.com/1187976 SUSE Bug 1187976 An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). CVE-2021-3449 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-devel-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-docs-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm12-12.22.2-1.32.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212326-1/ https://www.suse.com/security/cve/CVE-2021-3449.html CVE-2021-3449 https://bugzilla.suse.com/1183852 SUSE Bug 1183852 The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j). CVE-2021-3450 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-devel-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:nodejs12-docs-12.22.2-1.32.1 SUSE Linux Enterprise Module for Web and Scripting 12:npm12-12.22.2-1.32.1 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212326-1/ https://www.suse.com/security/cve/CVE-2021-3450.html CVE-2021-3450 https://bugzilla.suse.com/1183851 SUSE Bug 1183851 https://bugzilla.suse.com/1188549 SUSE Bug 1188549 https://bugzilla.suse.com/1225628 SUSE Bug 1225628