Security update for nodejs16 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:4003-1 Final 1 1 2022-11-15T16:10:03Z current 2022-11-15T16:10:03Z 2022-11-15T16:10:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs16 This update for nodejs16 fixes the following issues: - Update to LTS versino 16.18.1: - CVE-2022-43548: Fixed DNS rebinding in --inspect via invalid octal IP address (bsc#1205119). - Update to LTS version 16.18.0: * http: throw error on content-length mismatch * stream: add ReadableByteStream.tee() * deps: npm updated to 8.19.2 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/node:16-2022-4003,SUSE-2022-4003,SUSE-SLE-Module-Web-Scripting-15-SP4-2022-4003,openSUSE-SLE-15.4-2022-4003 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20224003-1/ Link for SUSE-SU-2022:4003-1 https://lists.suse.com/pipermail/sle-security-updates/2022-November/012938.html E-Mail link for SUSE-SU-2022:4003-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1205119 SUSE Bug 1205119 https://www.suse.com/security/cve/CVE-2022-43548/ SUSE CVE CVE-2022-43548 page Container bci/node:16 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 openSUSE Leap 15.4 nodejs16-16.18.1-150400.3.12.1 npm16-16.18.1-150400.3.12.1 corepack16-16.18.1-150400.3.12.1 nodejs16-devel-16.18.1-150400.3.12.1 nodejs16-docs-16.18.1-150400.3.12.1 nodejs16-16.18.1-150400.3.12.1 as a component of Container bci/node:16 npm16-16.18.1-150400.3.12.1 as a component of Container bci/node:16 nodejs16-16.18.1-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs16-devel-16.18.1-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs16-docs-16.18.1-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 npm16-16.18.1-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 corepack16-16.18.1-150400.3.12.1 as a component of openSUSE Leap 15.4 nodejs16-16.18.1-150400.3.12.1 as a component of openSUSE Leap 15.4 nodejs16-devel-16.18.1-150400.3.12.1 as a component of openSUSE Leap 15.4 nodejs16-docs-16.18.1-150400.3.12.1 as a component of openSUSE Leap 15.4 npm16-16.18.1-150400.3.12.1 as a component of openSUSE Leap 15.4 A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix. CVE-2022-43548 Container bci/node:16:nodejs16-16.18.1-150400.3.12.1 Container bci/node:16:npm16-16.18.1-150400.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-16.18.1-150400.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-devel-16.18.1-150400.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs16-docs-16.18.1-150400.3.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:npm16-16.18.1-150400.3.12.1 openSUSE Leap 15.4:corepack16-16.18.1-150400.3.12.1 openSUSE Leap 15.4:nodejs16-16.18.1-150400.3.12.1 openSUSE Leap 15.4:nodejs16-devel-16.18.1-150400.3.12.1 openSUSE Leap 15.4:nodejs16-docs-16.18.1-150400.3.12.1 openSUSE Leap 15.4:npm16-16.18.1-150400.3.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20224003-1/ https://www.suse.com/security/cve/CVE-2022-43548.html CVE-2022-43548 https://bugzilla.suse.com/1205119 SUSE Bug 1205119