SUSE-CU-2025:4246-1: Security update of bci/nodejs

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Thu Jun 12 07:09:52 UTC 2025 

SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:4246-1
Container Tags        : bci/node:22 , bci/node:22.15.1 , bci/node:22.15.1-35.6 , bci/nodejs:22 , bci/nodejs:22.15.1 , bci/nodejs:22.15.1-35.6
Container Release     : 35.6
Severity              : important
Type                  : security
References            : 1239949 1241050 1243217 1243218 CVE-2025-23165 CVE-2025-23166
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1878-1
Released:    Wed Jun 11 07:41:13 2025
Summary:     Security update for nodejs22
Type:        security
Severity:    important
References:  1239949,1241050,1243217,1243218,CVE-2025-23165,CVE-2025-23166
This update for nodejs22 fixes the following issues:

Update to version 22.15.1.

Security issues fixed:

- CVE-2025-23166: remotely triggerable process crash due to improper error handling in async cryptographic operations
  (bsc#1243218).
- CVE-2025-23165: memory leak and unbounded memory growth due to corrupted pointer in
  `node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args)` when `args[0]` is a string (bsc#1243217).
  
Other changes and issues fixed:

- Changes from version 22.15.0

  * dns: add TLSA record query and parsing
  * assert: improve partialDeepStrictEqual
  * process: add execve
  * tls: implement tls.getCACertificates()
  * v8: add v8.getCppHeapStatistics() method

- Changes from version 22.14.0
 
  * fs: allow exclude option in globs to accept glob patterns
  * lib: add typescript support to STDIN eval
  * module: add ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX
  * module: add findPackageJSON util
  * process: add process.ref() and process.unref() methods
  * sqlite: support TypedArray and DataView in StatementSync
  * src: add --disable-sigusr1 to prevent signal i/o thread
  * src,worker: add isInternalWorker
  * test_runner: add TestContext.prototype.waitFor()
  * test_runner: add t.assert.fileSnapshot()
  * test_runner: add assert.register() API
  * worker: add eval ts input
  
- Build with PIE (bsc#1239949).
- Fix builds with OpenSSL 3.5.0 (bsc#1241050).


The following package changes have been done:

- nodejs22-22.15.1-150600.13.9.1 updated
- npm22-22.15.1-150600.13.9.1 updated
- libcares2-1.19.1-150000.3.26.1 removed
- netcfg-11.6-150000.3.6.1 removed

More information about the sle-container-updates mailing list