Security update for nodejs8 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:1694-1 Final 1 1 2022-05-17T07:13:45Z current 2022-05-17T07:13:45Z 2022-05-17T07:13:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs8 This update for nodejs8 fixes the following issues: - CVE-2021-44906: Fixed prototype pollution in npm dependency (bsc#1198247). - CVE-2021-44907: Fixed insuficient sanitation in npm dependency (bsc#1197283). - CVE-2022-0235: Fixed passing of cookie data and sensitive headers to different hostnames in node-fetch-npm (bsc#1194819). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-1694,openSUSE-SLE-15.3-2022-1694,openSUSE-SLE-15.4-2022-1694 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20221694-1/ Link for SUSE-SU-2022:1694-1 https://lists.suse.com/pipermail/sle-security-updates/2022-May/011051.html E-Mail link for SUSE-SU-2022:1694-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1194819 SUSE Bug 1194819 https://bugzilla.suse.com/1197283 SUSE Bug 1197283 https://bugzilla.suse.com/1198247 SUSE Bug 1198247 https://www.suse.com/security/cve/CVE-2021-44906/ SUSE CVE CVE-2021-44906 page https://www.suse.com/security/cve/CVE-2021-44907/ SUSE CVE CVE-2021-44907 page https://www.suse.com/security/cve/CVE-2022-0235/ SUSE CVE CVE-2022-0235 page openSUSE Leap 15.3 openSUSE Leap 15.4 nodejs8-8.17.0-150200.10.22.1 nodejs8-devel-8.17.0-150200.10.22.1 nodejs8-docs-8.17.0-150200.10.22.1 npm8-8.17.0-150200.10.22.1 nodejs8-8.17.0-150200.10.22.1 as a component of openSUSE Leap 15.3 nodejs8-devel-8.17.0-150200.10.22.1 as a component of openSUSE Leap 15.3 nodejs8-docs-8.17.0-150200.10.22.1 as a component of openSUSE Leap 15.3 npm8-8.17.0-150200.10.22.1 as a component of openSUSE Leap 15.3 nodejs8-8.17.0-150200.10.22.1 as a component of openSUSE Leap 15.4 nodejs8-devel-8.17.0-150200.10.22.1 as a component of openSUSE Leap 15.4 nodejs8-docs-8.17.0-150200.10.22.1 as a component of openSUSE Leap 15.4 npm8-8.17.0-150200.10.22.1 as a component of openSUSE Leap 15.4 Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). CVE-2021-44906 openSUSE Leap 15.3:nodejs8-8.17.0-150200.10.22.1 openSUSE Leap 15.3:nodejs8-devel-8.17.0-150200.10.22.1 openSUSE Leap 15.3:nodejs8-docs-8.17.0-150200.10.22.1 openSUSE Leap 15.3:npm8-8.17.0-150200.10.22.1 openSUSE Leap 15.4:nodejs8-8.17.0-150200.10.22.1 openSUSE Leap 15.4:nodejs8-devel-8.17.0-150200.10.22.1 openSUSE Leap 15.4:nodejs8-docs-8.17.0-150200.10.22.1 openSUSE Leap 15.4:npm8-8.17.0-150200.10.22.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221694-1/ https://www.suse.com/security/cve/CVE-2021-44906.html CVE-2021-44906 https://bugzilla.suse.com/1198247 SUSE Bug 1198247 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. CVE-2021-44907 openSUSE Leap 15.3:nodejs8-8.17.0-150200.10.22.1 openSUSE Leap 15.3:nodejs8-devel-8.17.0-150200.10.22.1 openSUSE Leap 15.3:nodejs8-docs-8.17.0-150200.10.22.1 openSUSE Leap 15.3:npm8-8.17.0-150200.10.22.1 openSUSE Leap 15.4:nodejs8-8.17.0-150200.10.22.1 openSUSE Leap 15.4:nodejs8-devel-8.17.0-150200.10.22.1 openSUSE Leap 15.4:nodejs8-docs-8.17.0-150200.10.22.1 openSUSE Leap 15.4:npm8-8.17.0-150200.10.22.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221694-1/ https://www.suse.com/security/cve/CVE-2021-44907.html CVE-2021-44907 https://bugzilla.suse.com/1197283 SUSE Bug 1197283 node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor CVE-2022-0235 openSUSE Leap 15.3:nodejs8-8.17.0-150200.10.22.1 openSUSE Leap 15.3:nodejs8-devel-8.17.0-150200.10.22.1 openSUSE Leap 15.3:nodejs8-docs-8.17.0-150200.10.22.1 openSUSE Leap 15.3:npm8-8.17.0-150200.10.22.1 openSUSE Leap 15.4:nodejs8-8.17.0-150200.10.22.1 openSUSE Leap 15.4:nodejs8-devel-8.17.0-150200.10.22.1 openSUSE Leap 15.4:nodejs8-docs-8.17.0-150200.10.22.1 openSUSE Leap 15.4:npm8-8.17.0-150200.10.22.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221694-1/ https://www.suse.com/security/cve/CVE-2022-0235.html CVE-2022-0235 https://bugzilla.suse.com/1194819 SUSE Bug 1194819