Security update for nodejs8 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0293-1 Final 1 1 2020-03-03T17:13:16Z current 2020-03-03T17:13:16Z 2020-03-03T17:13:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs8 This update for nodejs8 fixes the following issues: Security issues fixed: - CVE-2019-15604: Fixed a remotely triggerable assertion in the TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104). - CVE-2019-15605: Fixed an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102). - CVE-2019-15606: Fixed the white space sanitation of HTTP headers (CVE-2019-15606, bsc#1163103). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-293 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LLBX73ZML2HFTXADVLS3JFSWUPDITBSK/ E-Mail link for openSUSE-SU-2020:0293-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1163102 SUSE Bug 1163102 https://bugzilla.suse.com/1163103 SUSE Bug 1163103 https://bugzilla.suse.com/1163104 SUSE Bug 1163104 https://www.suse.com/security/cve/CVE-2019-15604/ SUSE CVE CVE-2019-15604 page https://www.suse.com/security/cve/CVE-2019-15605/ SUSE CVE CVE-2019-15605 page https://www.suse.com/security/cve/CVE-2019-15606/ SUSE CVE CVE-2019-15606 page openSUSE Leap 15.1 nodejs8-8.17.0-lp151.2.12.1 nodejs8-devel-8.17.0-lp151.2.12.1 nodejs8-docs-8.17.0-lp151.2.12.1 npm8-8.17.0-lp151.2.12.1 nodejs8-8.17.0-lp151.2.12.1 as a component of openSUSE Leap 15.1 nodejs8-devel-8.17.0-lp151.2.12.1 as a component of openSUSE Leap 15.1 nodejs8-docs-8.17.0-lp151.2.12.1 as a component of openSUSE Leap 15.1 npm8-8.17.0-lp151.2.12.1 as a component of openSUSE Leap 15.1 Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate CVE-2019-15604 openSUSE Leap 15.1:nodejs8-8.17.0-lp151.2.12.1 openSUSE Leap 15.1:nodejs8-devel-8.17.0-lp151.2.12.1 openSUSE Leap 15.1:nodejs8-docs-8.17.0-lp151.2.12.1 openSUSE Leap 15.1:npm8-8.17.0-lp151.2.12.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LLBX73ZML2HFTXADVLS3JFSWUPDITBSK/ https://www.suse.com/security/cve/CVE-2019-15604.html CVE-2019-15604 https://bugzilla.suse.com/1163104 SUSE Bug 1163104 HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed CVE-2019-15605 openSUSE Leap 15.1:nodejs8-8.17.0-lp151.2.12.1 openSUSE Leap 15.1:nodejs8-devel-8.17.0-lp151.2.12.1 openSUSE Leap 15.1:nodejs8-docs-8.17.0-lp151.2.12.1 openSUSE Leap 15.1:npm8-8.17.0-lp151.2.12.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LLBX73ZML2HFTXADVLS3JFSWUPDITBSK/ https://www.suse.com/security/cve/CVE-2019-15605.html CVE-2019-15605 https://bugzilla.suse.com/1163102 SUSE Bug 1163102 Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons CVE-2019-15606 openSUSE Leap 15.1:nodejs8-8.17.0-lp151.2.12.1 openSUSE Leap 15.1:nodejs8-devel-8.17.0-lp151.2.12.1 openSUSE Leap 15.1:nodejs8-docs-8.17.0-lp151.2.12.1 openSUSE Leap 15.1:npm8-8.17.0-lp151.2.12.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LLBX73ZML2HFTXADVLS3JFSWUPDITBSK/ https://www.suse.com/security/cve/CVE-2019-15606.html CVE-2019-15606 https://bugzilla.suse.com/1163103 SUSE Bug 1163103