SUSE-CU-2024:3240-1: Security update of bci/nodejs

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Tue Jul 23 07:05:46 UTC 2024 

SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:3240-1
Container Tags        : bci/node:20 , bci/node:20-31.10 , bci/node:latest , bci/nodejs:20 , bci/nodejs:20-31.10 , bci/nodejs:latest
Container Release     : 31.10
Severity              : important
Type                  : security
References            : 1219660 1227554 1227560 1227561 1227562 1227563 CVE-2024-22018
                        CVE-2024-22020 CVE-2024-24577 CVE-2024-27980 CVE-2024-36137 CVE-2024-36138
                        CVE-2024-37372 
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2574-1
Released:    Mon Jul 22 12:35:14 2024
Summary:     Security update for nodejs20
Type:        security
Severity:    moderate
References:  1227554,1227560,1227561,1227562,1227563,CVE-2024-22018,CVE-2024-22020,CVE-2024-27980,CVE-2024-36137,CVE-2024-36138,CVE-2024-37372
This update for nodejs20 fixes the following issues:

Update to 20.15.1:

- CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
- CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)
- CVE-2024-22018: Fixed fs.lstat bypasses permission model (bsc#1227562)
- CVE-2024-36137: Fixed fs.fchown/fchmod bypasses permission model (bsc#1227561)
- CVE-2024-37372: Fixed Permission model improperly processes UNC paths (bsc#1227563)

Changes in 20.15.0:

- test_runner: support test plans
- inspector: introduce the --inspect-wait flag
- zlib: expose zlib.crc32()
- cli: allow running wasm in limited vmem with --disable-wasm-trap-handler

Changes in 20.14.0

- src,permission: throw async errors on async APIs
- test_runner: support forced exit

Changes in 20.13.1:

- buffer: improve base64 and base64url performance
- crypto: deprecate implicitly shortened GCM tags
- events,doc: mark CustomEvent as stable
- fs: add stacktrace to fs/promises
- report: add --report-exclude-network option
- src: add uv_get_available_memory to report and process
- stream: support typed arrays
- util: support array of formats in util.styleText
- v8: implement v8.queryObjects() for memory leak regression testing
- watch: mark as stable

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2579-1
Released:    Mon Jul 22 12:36:34 2024
Summary:     Security update for git
Type:        security
Severity:    important
References:  1219660,CVE-2024-24577
This update for git fixes the following issues:

- CVE-2024-24577: Fixed arbitrary code execution due to heap corruption in git_index_add (bsc#1219660)


The following package changes have been done:

- nodejs20-20.15.1-150600.3.3.2 updated
- npm20-20.15.1-150600.3.3.2 updated
- git-core-2.43.0-150600.3.6.1 updated

More information about the sle-container-updates mailing list