Security update for nodejs12 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1616-1 Final 1 1 2020-10-05T04:22:45Z current 2020-10-05T04:22:45Z 2020-10-05T04:22:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs12 This update for nodejs12 fixes the following issues: - nodejs12 was updated to 12.18.4 LTS: - CVE-2020-8201: Fixed an HTTP Request Smuggling due to CR-to-Hyphen conversion (bsc#1176605). - CVE-2020-8252: Fixed a buffer overflow in realpath (bsc#1176589). - CVE-2020-15095: Fixed an information leak through log files (bsc#1173937). - Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation on Aarch64 with gcc10 (bsc#1172686) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1616 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5CMPMUA4PV5TIZ4ZIY7PTL3KUZIS2IAM/ E-Mail link for openSUSE-SU-2020:1616-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172686 SUSE Bug 1172686 https://bugzilla.suse.com/1173937 SUSE Bug 1173937 https://bugzilla.suse.com/1176589 SUSE Bug 1176589 https://bugzilla.suse.com/1176605 SUSE Bug 1176605 https://www.suse.com/security/cve/CVE-2020-15095/ SUSE CVE CVE-2020-15095 page https://www.suse.com/security/cve/CVE-2020-8201/ SUSE CVE CVE-2020-8201 page https://www.suse.com/security/cve/CVE-2020-8252/ SUSE CVE CVE-2020-8252 page openSUSE Leap 15.2 nodejs12-12.18.4-lp152.3.6.1 nodejs12-devel-12.18.4-lp152.3.6.1 nodejs12-docs-12.18.4-lp152.3.6.1 npm12-12.18.4-lp152.3.6.1 nodejs12-12.18.4-lp152.3.6.1 as a component of openSUSE Leap 15.2 nodejs12-devel-12.18.4-lp152.3.6.1 as a component of openSUSE Leap 15.2 nodejs12-docs-12.18.4-lp152.3.6.1 as a component of openSUSE Leap 15.2 npm12-12.18.4-lp152.3.6.1 as a component of openSUSE Leap 15.2 Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files. CVE-2020-15095 openSUSE Leap 15.2:nodejs12-12.18.4-lp152.3.6.1 openSUSE Leap 15.2:nodejs12-devel-12.18.4-lp152.3.6.1 openSUSE Leap 15.2:nodejs12-docs-12.18.4-lp152.3.6.1 openSUSE Leap 15.2:npm12-12.18.4-lp152.3.6.1 moderate 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5CMPMUA4PV5TIZ4ZIY7PTL3KUZIS2IAM/ https://www.suse.com/security/cve/CVE-2020-15095.html CVE-2020-15095 https://bugzilla.suse.com/1173937 SUSE Bug 1173937 Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names. CVE-2020-8201 openSUSE Leap 15.2:nodejs12-12.18.4-lp152.3.6.1 openSUSE Leap 15.2:nodejs12-devel-12.18.4-lp152.3.6.1 openSUSE Leap 15.2:nodejs12-docs-12.18.4-lp152.3.6.1 openSUSE Leap 15.2:npm12-12.18.4-lp152.3.6.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5CMPMUA4PV5TIZ4ZIY7PTL3KUZIS2IAM/ https://www.suse.com/security/cve/CVE-2020-8201.html CVE-2020-8201 https://bugzilla.suse.com/1176605 SUSE Bug 1176605 The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes. CVE-2020-8252 openSUSE Leap 15.2:nodejs12-12.18.4-lp152.3.6.1 openSUSE Leap 15.2:nodejs12-devel-12.18.4-lp152.3.6.1 openSUSE Leap 15.2:nodejs12-docs-12.18.4-lp152.3.6.1 openSUSE Leap 15.2:npm12-12.18.4-lp152.3.6.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5CMPMUA4PV5TIZ4ZIY7PTL3KUZIS2IAM/ https://www.suse.com/security/cve/CVE-2020-8252.html CVE-2020-8252 https://bugzilla.suse.com/1176589 SUSE Bug 1176589