SUSE-SU-2024:2496-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:2496-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:2496-1
Related
Published
2024-07-16T07:33:47Z
Modified
2024-07-16T07:33:47Z
Summary
Security update for nodejs18
Details

This update for nodejs18 fixes the following issues:

Update to 18.20.4:

  • CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
  • CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)

Changes in 18.20.3:

  • This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections. deps:
    • acorn updated to 8.11.3.
    • acorn-walk updated to 8.3.2.
    • ada updated to 2.7.8.
    • c-ares updated to 1.28.1.
    • corepack updated to 0.28.0.
    • nghttp2 updated to 1.61.0.
    • ngtcp2 updated to 1.3.0.
    • npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections npm/cli#7324.
    • simdutf updated to 5.2.4.

Changes in 18.20.2:

  • CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option enabled on Windows (bsc#1222665)
References

Affected packages

SUSE:Linux Enterprise Module for Web and Scripting 12 / nodejs18

Package

Name
nodejs18
Purl
purl:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.20.4-8.24.1

Ecosystem specific 

{
    "binaries": [
        {
            "nodejs18": "18.20.4-8.24.1",
            "npm18": "18.20.4-8.24.1",
            "nodejs18-devel": "18.20.4-8.24.1",
            "nodejs18-docs": "18.20.4-8.24.1"
        }
    ]
}