{"affected":[{"ecosystem_specific":{"binaries":[{"nodejs18":"18.16.1-150400.9.9.1","nodejs18-devel":"18.16.1-150400.9.9.1","nodejs18-docs":"18.16.1-150400.9.9.1","npm18":"18.16.1-150400.9.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Web and Scripting 15 SP4","name":"nodejs18","purl":"pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"18.16.1-150400.9.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"nodejs18":"18.16.1-150400.9.9.1","nodejs18-devel":"18.16.1-150400.9.9.1","nodejs18-docs":"18.16.1-150400.9.9.1","npm18":"18.16.1-150400.9.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Web and Scripting 15 SP5","name":"nodejs18","purl":"pkg:rpm/suse/nodejs18&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"18.16.1-150400.9.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"corepack18":"18.16.1-150400.9.9.1","nodejs18":"18.16.1-150400.9.9.1","nodejs18-devel":"18.16.1-150400.9.9.1","nodejs18-docs":"18.16.1-150400.9.9.1","npm18":"18.16.1-150400.9.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.4","name":"nodejs18","purl":"pkg:rpm/opensuse/nodejs18&distro=openSUSE%20Leap%2015.4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"18.16.1-150400.9.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"corepack18":"18.16.1-150400.9.9.1","nodejs18":"18.16.1-150400.9.9.1","nodejs18-devel":"18.16.1-150400.9.9.1","nodejs18-docs":"18.16.1-150400.9.9.1","npm18":"18.16.1-150400.9.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"nodejs18","purl":"pkg:rpm/opensuse/nodejs18&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"18.16.1-150400.9.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for nodejs18 fixes the following issues:\n\nUpdate to version 18.16.1:\n\n- CVE-2023-30581: Fixed mainModule.__proto__ Bypass Experimental Policy Mechanism (bsc#1212574).\n- CVE-2023-30585: Fixed privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (bsc#1212579).\n- CVE-2023-30588: Fixed process interuption due to invalid Public Key information in x509 certificates (bsc#1212581).\n- CVE-2023-30589: Fixed HTTP Request Smuggling via empty headers separated by CR (bsc#1212582).\n- CVE-2023-30590: Fixed DiffieHellman key generation after setting a private key (bsc#1212583).\n- CVE-2023-31124: Fixed cross compilation issue with AutoTools that does not set CARES_RANDOM_FILE (bsc#1211607).\n- CVE-2023-31130: Fixed buffer underwrite problem in ares_inet_net_pton() (bsc#1211606).\n- CVE-2023-31147: Fixed insufficient randomness in generation of DNS query IDs (bsc#1211605).\n- CVE-2023-32067: Fixed denial-of-service via 0-byte UDP payload (bsc#1211604).\n- CVE-2022-25881: Fixed a Regular Expression Denial of Service (bsc#1208744).\n\nBug fixes:\n\n- Increased the default timeout on unit tests from 2 to 20 minutes. This seems to have lead to build failures on some platforms, like s390x in Factory. (bsc#1211407)\n","id":"SUSE-SU-2023:2669-1","modified":"2023-06-28T07:25:15Z","published":"2023-06-28T07:25:15Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2023/suse-su-20232669-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1208744"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211407"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211604"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211605"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211606"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211607"},{"type":"REPORT","url":"https://bugzilla.suse.com/1212574"},{"type":"REPORT","url":"https://bugzilla.suse.com/1212579"},{"type":"REPORT","url":"https://bugzilla.suse.com/1212581"},{"type":"REPORT","url":"https://bugzilla.suse.com/1212582"},{"type":"REPORT","url":"https://bugzilla.suse.com/1212583"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-25881"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30581"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30585"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30588"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30589"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-30590"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-31124"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-31130"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-31147"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-32067"}],"related":["CVE-2022-25881","CVE-2023-30581","CVE-2023-30585","CVE-2023-30588","CVE-2023-30589","CVE-2023-30590","CVE-2023-31124","CVE-2023-31130","CVE-2023-31147","CVE-2023-32067"],"summary":"Security update for nodejs18","upstream":["CVE-2022-25881","CVE-2023-30581","CVE-2023-30585","CVE-2023-30588","CVE-2023-30589","CVE-2023-30590","CVE-2023-31124","CVE-2023-31130","CVE-2023-31147","CVE-2023-32067"]}