{"affected":[{"ecosystem_specific":{"binaries":[{"nodejs16":"16.17.0-8.9.1","nodejs16-devel":"16.17.0-8.9.1","nodejs16-docs":"16.17.0-8.9.1","npm16":"16.17.0-8.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Web and Scripting 12","name":"nodejs16","purl":"pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"16.17.0-8.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for nodejs16 fixes the following issues:\n\n- CVE-2022-35949: Fixed SSRF when an application takes in user input into the path/pathname option of undici.request (bsc#1202382).\n- CVE-2022-35948: Fixed CRLF injection via Content-Type (bsc#1202383).\n- CVE-2022-29244: Fixed npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace (bsc#1200517).\n- CVE-2022-31150: Fixed CRLF injection in node-undici (bsc#1201710).\n\nBugfixes:\n\n- Enable crypto-policies for SLE15 SP4+ and TW (bsc#1200303)\n","id":"SUSE-SU-2022:3196-1","modified":"2022-09-08T08:35:42Z","published":"2022-09-08T08:35:42Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2022/suse-su-20223196-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1200303"},{"type":"REPORT","url":"https://bugzilla.suse.com/1200517"},{"type":"REPORT","url":"https://bugzilla.suse.com/1201710"},{"type":"REPORT","url":"https://bugzilla.suse.com/1202382"},{"type":"REPORT","url":"https://bugzilla.suse.com/1202383"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-29244"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-31150"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-35948"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-35949"}],"related":["CVE-2022-29244","CVE-2022-31150","CVE-2022-35948","CVE-2022-35949"],"summary":"Security update for nodejs16","upstream":["CVE-2022-29244","CVE-2022-31150","CVE-2022-35948","CVE-2022-35949"]}