Security update for nodejs14

SUSE Security Update: Security update for nodejs14

---

Announcement ID:	SUSE-SU-2021:0648-1
Rating:	important
References:	#1182619 #1182620
Cross-References:	CVE-2021-22883 CVE-2021-22884
Affected Products:	SUSE Linux Enterprise Module for Web Scripting 15-SP2

---

An update that fixes two vulnerabilities is now available.

Description:

This update for nodejs14 fixes the following issues:

• New upstream LTS version 14.16.0: * CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (bsc#1182619) * CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Module for Web Scripting 15-SP2:
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP2-2021-648=1

Package List:

• SUSE Linux Enterprise Module for Web Scripting 15-SP2 (aarch64 ppc64le s390x x86_64):
  • nodejs14-14.16.0-5.9.1
  • nodejs14-debuginfo-14.16.0-5.9.1
  • nodejs14-debugsource-14.16.0-5.9.1
  • nodejs14-devel-14.16.0-5.9.1
  • npm14-14.16.0-5.9.1
• SUSE Linux Enterprise Module for Web Scripting 15-SP2 (noarch):
  • nodejs14-docs-14.16.0-5.9.1

References:

• https://www.suse.com/security/cve/CVE-2021-22883.html
• https://www.suse.com/security/cve/CVE-2021-22884.html
• https://bugzilla.suse.com/1182619
• https://bugzilla.suse.com/1182620