SUSE-CU-2024:3194-1: Security update of bci/nodejs

[sle-container-updates at lists.suse.com]

SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:3194-1
Container Tags        : bci/node:18 , bci/node:18-26.9 , bci/nodejs:18 , bci/nodejs:18-26.9
Container Release     : 26.9
Severity              : moderate
Type                  : security
References            : 1222665 1227554 1227560 CVE-2024-22020 CVE-2024-27980 CVE-2024-36138
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2542-1
Released:    Wed Jul 17 09:51:35 2024
Summary:     Security update for nodejs18
Type:        security
Severity:    moderate
References:  1222665,1227554,1227560,CVE-2024-22020,CVE-2024-27980,CVE-2024-36138
This update for nodejs18 fixes the following issues:

Update to 18.20.4:

- CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
- CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)

Changes in 18.20.3:

- This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.
  deps:
  - acorn updated to 8.11.3.
  - acorn-walk updated to 8.3.2.
  - ada updated to 2.7.8.
  - c-ares updated to 1.28.1.
  - corepack updated to 0.28.0.
  - nghttp2 updated to 1.61.0.
  - ngtcp2 updated to 1.3.0.
  - npm updated to 10.7.0. Includes a fix from npm at 10.5.1 to limit the number of open connections npm/cli#7324.
  - simdutf updated to 5.2.4.

Changes in 18.20.2:

- CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option enabled on Windows (bsc#1222665)


The following package changes have been done:

- nodejs18-18.20.4-150400.9.24.2 updated
- npm18-18.20.4-150400.9.24.2 updated