SUSE-CU-2022:256-1: Security update of bci/nodejs
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Sun Mar 6 08:04:52 UTC 2022
SUSE Container Update Advisory: bci/nodejs
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:256-1
Container Tags : bci/node:14 , bci/node:14-14.13 , bci/nodejs:14 , bci/nodejs:14-14.13
Container Release : 14.13
Severity : important
Type : security
References : 1187512 1188348 1188507 1190447 1191962 1191963 1192153 1192154
1192696 1192954 1193632 1194976 1196025 1196026 1196168 1196169
1196171 CVE-2021-23343 CVE-2021-32803 CVE-2021-32804 CVE-2021-3807
CVE-2021-3918 CVE-2021-3995 CVE-2021-3996 CVE-2022-25235 CVE-2022-25236
CVE-2022-25313 CVE-2022-25314 CVE-2022-25315
-----------------------------------------------------------------
The container bci/nodejs was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2626-1
Released: Thu Aug 5 12:10:35 2021
Summary: Recommended maintenance update for libeconf
Type: recommended
Severity: moderate
References: 1188348
This update for libeconf fixes the following issue:
- Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:674-1
Released: Wed Mar 2 13:24:38 2022
Summary: Recommended update for yast2-network
Type: recommended
Severity: moderate
References: 1187512
This update for yast2-network fixes the following issues:
- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:692-1
Released: Thu Mar 3 15:46:47 2022
Summary: Recommended update for filesystem
Type: recommended
Severity: moderate
References: 1190447
This update for filesystem fixes the following issues:
- Release ported filesystem to LTSS channels (bsc#1190447).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:713-1
Released: Fri Mar 4 09:34:17 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:715-1
Released: Fri Mar 4 09:37:47 2022
Summary: Security update for nodejs14
Type: security
Severity: important
References: 1191962,1191963,1192153,1192154,1192696,CVE-2021-23343,CVE-2021-32803,CVE-2021-32804,CVE-2021-3807,CVE-2021-3918
This update for nodejs14 fixes the following issues:
- CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153).
- CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite (bsc#1191963).
- CVE-2021-32804: Fixed insufficient absolute path sanitization in node-tar allowing arbitrary file creation and overwrite (bsc#1191962).
- CVE-2021-3918: Fixed improper controlled modification of object prototype attributes in json-schema (bsc#1192696).
- CVE-2021-3807: Fixed regular expression denial of service (ReDoS) matching ANSI escape codes in node-ansi-regex (bsc#1192154).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:727-1
Released: Fri Mar 4 10:39:21 2022
Summary: Security update for libeconf, shadow and util-linux
Type: security
Severity: moderate
References: 1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996
This security update for libeconf, shadow and util-linux fix the following issues:
libeconf:
- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow'
to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
Issues fixed in libeconf:
- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
- Fixed different issues while writing string values to file.
- Writing comments to file too.
- Fixed crash while merging values.
- Added econftool cat option (#146)
- new API call: econf_readDirsHistory (showing ALL locations)
- new API call: econf_getPath (absolute path of the configuration file)
- Man pages libeconf.3 and econftool.8.
- Handling multiline strings.
- Added libeconf_ext which returns more information like
line_nr, comments, path of the configuration file,...
- Econftool, an command line interface for handling configuration
files.
- Generating HTML API documentation with doxygen.
- Improving error handling and semantic file check.
- Joining entries with the same key to one single entry if
env variable ECONF_JOIN_SAME_ENTRIES has been set.
shadow:
- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to
read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
util-linux:
- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to
read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
- Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)
- Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)
- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)
- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)
The following package changes have been done:
- filesystem-15.0-11.5.1 updated
- libaugeas0-1.10.1-3.5.1 updated
- libblkid1-2.36.2-150300.4.14.3 updated
- libeconf0-0.4.4+git20220104.962774f-150300.3.6.2 added
- libexpat1-2.2.5-3.15.1 updated
- libfdisk1-2.36.2-150300.4.14.3 updated
- libmount1-2.36.2-150300.4.14.3 updated
- libsmartcols1-2.36.2-150300.4.14.3 updated
- libuuid1-2.36.2-150300.4.14.3 updated
- login_defs-4.8.1-150300.4.3.8 updated
- nodejs14-14.19.0-15.27.1 updated
- npm14-14.19.0-15.27.1 updated
- shadow-4.8.1-150300.4.3.8 updated
- util-linux-2.36.2-150300.4.14.3 updated
- container:sles15-image-15.0.0-17.8.86 updated
More information about the sle-security-updates
mailing list