Security update for nodejs8 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0059-1 Final 1 1 2020-01-14T23:14:09Z current 2020-01-14T23:14:09Z 2020-01-14T23:14:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs8 This update for nodejs8 to version 8.17.0 fixes the following issues: Security issues fixed: - CVE-2019-16777, CVE-2019-16776, CVE-2019-16775: Updated npm to 6.13.4, fixing an arbitrary path overwrite and access via 'bin' field (bsc#1159352). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-59 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZTYFGA4QM5SQ3SGXQOYK3EH3UJ2NB6H7/ E-Mail link for openSUSE-SU-2020:0059-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1149792 SUSE Bug 1149792 https://bugzilla.suse.com/1159352 SUSE Bug 1159352 https://www.suse.com/security/cve/CVE-2019-16775/ SUSE CVE CVE-2019-16775 page https://www.suse.com/security/cve/CVE-2019-16776/ SUSE CVE CVE-2019-16776 page https://www.suse.com/security/cve/CVE-2019-16777/ SUSE CVE CVE-2019-16777 page openSUSE Leap 15.1 nodejs8-8.17.0-lp151.2.9.1 nodejs8-devel-8.17.0-lp151.2.9.1 nodejs8-docs-8.17.0-lp151.2.9.1 npm8-8.17.0-lp151.2.9.1 nodejs8-8.17.0-lp151.2.9.1 as a component of openSUSE Leap 15.1 nodejs8-devel-8.17.0-lp151.2.9.1 as a component of openSUSE Leap 15.1 nodejs8-docs-8.17.0-lp151.2.9.1 as a component of openSUSE Leap 15.1 npm8-8.17.0-lp151.2.9.1 as a component of openSUSE Leap 15.1 Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. CVE-2019-16775 openSUSE Leap 15.1:nodejs8-8.17.0-lp151.2.9.1 openSUSE Leap 15.1:nodejs8-devel-8.17.0-lp151.2.9.1 openSUSE Leap 15.1:nodejs8-docs-8.17.0-lp151.2.9.1 openSUSE Leap 15.1:npm8-8.17.0-lp151.2.9.1 important 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZTYFGA4QM5SQ3SGXQOYK3EH3UJ2NB6H7/ https://www.suse.com/security/cve/CVE-2019-16775.html CVE-2019-16775 https://bugzilla.suse.com/1159352 SUSE Bug 1159352 Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. CVE-2019-16776 openSUSE Leap 15.1:nodejs8-8.17.0-lp151.2.9.1 openSUSE Leap 15.1:nodejs8-devel-8.17.0-lp151.2.9.1 openSUSE Leap 15.1:nodejs8-docs-8.17.0-lp151.2.9.1 openSUSE Leap 15.1:npm8-8.17.0-lp151.2.9.1 important 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZTYFGA4QM5SQ3SGXQOYK3EH3UJ2NB6H7/ https://www.suse.com/security/cve/CVE-2019-16776.html CVE-2019-16776 https://bugzilla.suse.com/1159352 SUSE Bug 1159352 Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. CVE-2019-16777 openSUSE Leap 15.1:nodejs8-8.17.0-lp151.2.9.1 openSUSE Leap 15.1:nodejs8-devel-8.17.0-lp151.2.9.1 openSUSE Leap 15.1:nodejs8-docs-8.17.0-lp151.2.9.1 openSUSE Leap 15.1:npm8-8.17.0-lp151.2.9.1 important 5.5 AV:N/AC:L/Au:S/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZTYFGA4QM5SQ3SGXQOYK3EH3UJ2NB6H7/ https://www.suse.com/security/cve/CVE-2019-16777.html CVE-2019-16777 https://bugzilla.suse.com/1159352 SUSE Bug 1159352