SUSE-SU-2024:2496-1
- Source
- https://www.suse.com/support/update/announcement/2024/suse-su-20242496-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:2496-1.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/SUSE-SU-2024:2496-1
- Upstream
- Related
- Published
- 2024-07-16T07:33:47Z
- Modified
- 2026-01-30T02:26:28.353981Z
- Summary
- Security update for nodejs18
- Details
-
This update for nodejs18 fixes the following issues:
Update to 18.20.4:
- CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
- CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)
Changes in 18.20.3:
- This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.
deps:
- acorn updated to 8.11.3.
- acorn-walk updated to 8.3.2.
- ada updated to 2.7.8.
- c-ares updated to 1.28.1.
- corepack updated to 0.28.0.
- nghttp2 updated to 1.61.0.
- ngtcp2 updated to 1.3.0.
- npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections npm/cli#7324.
- simdutf updated to 5.2.4.
Changes in 18.20.2:
- CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option enabled on Windows (bsc#1222665)
- References
-
- https://www.suse.com/support/update/announcement/2024/suse-su-20242496-1/
- https://bugzilla.suse.com/1222665
- https://bugzilla.suse.com/1227554
- https://bugzilla.suse.com/1227560
- https://www.suse.com/security/cve/CVE-2024-22020
- https://www.suse.com/security/cve/CVE-2024-27980
- https://www.suse.com/security/cve/CVE-2024-36138
Affected packages
SUSE:Linux Enterprise Module for Web and Scripting 12 / nodejs18
Package
- Name
- nodejs18
- Purl
- pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed18.20.4-8.24.1