SUSE-CU-2024:796-1: Security update of bci/nodejs

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Tue Mar 5 08:03:25 UTC 2024


SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:796-1
Container Tags        : bci/node:18 , bci/node:18-16.19 , bci/nodejs:18 , bci/nodejs:18-16.19
Container Release     : 16.19
Severity              : important
Type                  : security
References            : 1219724 1219992 1219993 1219997 1220014 1220017 CVE-2023-46809
                        CVE-2024-21892 CVE-2024-22019 CVE-2024-22025 CVE-2024-24758 CVE-2024-24806
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:730-1
Released:    Thu Feb 29 13:00:43 2024
Summary:     Security update for nodejs18
Type:        security
Severity:    important
References:  1219724,1219992,1219993,1219997,1220014,1220017,CVE-2023-46809,CVE-2024-21892,CVE-2024-22019,CVE-2024-22025,CVE-2024-24758,CVE-2024-24806
This update for nodejs18 fixes the following issues:

Update to 18.19.1: (security updates)

* CVE-2024-21892: Code injection and privilege escalation through Linux capabilities (bsc#1219992).
* CVE-2024-22019: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (bsc#1219993).
* CVE-2023-46809: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (bsc#1219997).
* CVE-2024-22025: Denial of Service by resource exhaustion in fetch() brotli decoding (bsc#1220014).
* CVE-2024-24758: undici version 5.28.3 (bsc#1220017).
* CVE-2024-24806: libuv version 1.48.0 (bsc#1219724).

Update to LTS version 18.19.0

* deps: npm updates to 10.x
* esm:
  + Leverage loaders when resolving subsequent loaders
  + import.meta.resolve unflagged
  + --experimental-default-type flag to flip module defaults


The following package changes have been done:

- nodejs18-18.19.1-150400.9.18.2 updated
- npm18-18.19.1-150400.9.18.2 updated
- container:sles15-image-15.0.0-36.11.8 updated


More information about the sle-container-updates mailing list