SUSE-CU-2025:6800-1: Security update of bci/nodejs

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Mon Sep 15 14:47:58 UTC 2025 

SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:6800-1
Container Tags        : bci/node:20 , bci/node:20.19.2 , bci/node:20.19.2-55.27 , bci/nodejs:20 , bci/nodejs:20.19.2 , bci/nodejs:20.19.2-55.27
Container Release     : 55.27
Severity              : important
Type                  : security
References            : 1228260 1236589 1243397 1243706 1243933 1246197 1249191 1249348
                        1249367 CVE-2024-6874 CVE-2025-0665 CVE-2025-10148 CVE-2025-4947
                        CVE-2025-5025 CVE-2025-5399 CVE-2025-9086 
-----------------------------------------------------------------

The container bci/nodejs was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3198-1
Released:    Fri Sep 12 14:15:08 2025
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086
This update for curl fixes the following issues:

Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).    
    
Security issues fixed:

- CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589).
- CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397).
- CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not
  easily noticed (bsc#1243706).
- CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing
  specially crafted packets (bsc#1243933).
- CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN
  backend (bsc#1228260).
- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
  (bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).

Other issues fixed:
    
- Fix wrong return code when --retry is used (bsc#1249367).
  * tool_operate: fix return code when --retry is used but not triggered [b42776b]
    
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
  * tool_getparam: fix --ftp-pasv [5f805ee]

- Fixed with version 8.14.1:
  * TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
  * websocket: add option to disable auto-pong reply.
  * huge number of bugfixes.

  Please see https://curl.se/ch/ for full changelogs.


The following package changes have been done:

- libcurl4-8.14.1-150600.4.28.1 updated
- curl-8.14.1-150600.4.28.1 updated

More information about the sle-container-updates mailing list