{"affected":[{"ecosystem_specific":{"binaries":[{"nodejs16":"16.20.1-8.30.1","nodejs16-devel":"16.20.1-8.30.1","nodejs16-docs":"16.20.1-8.30.1","npm16":"16.20.1-8.30.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Web and Scripting 12","name":"nodejs16","purl":"pkg:rpm/suse/nodejs16&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"16.20.1-8.30.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for nodejs16 fixes the following issues:\n\nUpdate to version 16.20.1:\n\n- CVE-2023-30581: Fixed mainModule.__proto__ Bypass Experimental Policy Mechanism (bsc#1212574).\n- CVE-2023-30585: Fixed privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (bsc#1212579).\n- CVE-2023-30588: Fixed process interuption due to invalid Public Key information in x509 certificates (bsc#1212581).\n- CVE-2023-30589: Fixed HTTP Request Smuggling via empty headers separated by CR (bsc#1212582).\n- CVE-2023-30590: Fixed DiffieHellman key generation after setting a private key (bsc#1212583).\n- CVE-2023-31124: Fixed cross compilation issue with AutoTools that does not set CARES_RANDOM_FILE (bsc#1211607).\n- CVE-2023-31130: Fixed buffer underwrite problem in ares_inet_net_pton() (bsc#1211606).\n- CVE-2023-31147: Fixed insufficient randomness in generation of DNS query IDs (bsc#1211605).\n- CVE-2023-32067: Fixed denial-of-service via 0-byte UDP payload (bsc#1211604).\n\nBug fixes:\n\n- Increased the default timeout on unit tests from 2 to 20 minutes. This seems to have lead to build failures on some platforms, like s390x in Factory. (bsc#1211407)\n","id":"SUSE-SU-2023:2655-1","modified":"2023-06-27T11:05:33Z","published":"2023-06-27T11:05:33Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2023/suse-su-20232655-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211407"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211604"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211605"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211606"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211607"},{"type":"REPORT","url":"https://bugzilla.suse.com/1212574"},{"type":"REPORT","url":"https://bugzilla.suse.com/1212579"},{"type":"REPORT","url":"https://bugzilla.suse.com/1212581"},{"type":"REPORT","url":"https://bugzilla.suse.com/1212582"},{"type":"REPORT","url":"https://bugzilla.suse.com/1212583"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30581"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30585"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30588"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30589"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30590"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-31124"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-31130"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-31147"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-32067"}],"related":["CVE-2023-30581","CVE-2023-30585","CVE-2023-30588","CVE-2023-30589","CVE-2023-30590","CVE-2023-31124","CVE-2023-31130","CVE-2023-31147","CVE-2023-32067"],"summary":"Security update for nodejs16","upstream":["CVE-2023-30581","CVE-2023-30585","CVE-2023-30588","CVE-2023-30589","CVE-2023-30590","CVE-2023-31124","CVE-2023-31130","CVE-2023-31147","CVE-2023-32067"]}